Home Internet Security Huawei USB LTE dongles are vulnerable to privilege escalation attacks

Huawei USB LTE dongles are vulnerable to privilege escalation attacks



This week, a Trustwave safety researcher disclosed a privilege escalation flaw in Huawei’s USB LTE dongles.

A USB dongle is a chunk of {hardware} that may be plugged into laptop computer and desktop computer systems, very like a thumb drive, to entry the web.

However, whereas shortly analyzing Huawei’s LTE system drivers, Trustwave researcher found a case of improper permissions.

Huawei LTE driver autoruns with most permissions

Martin Rakhmanov, Safety Analysis Supervisor at Trustwave has disclosed his findings on a privilege escalation flaw in Huawei’s USB LTE dongle mannequin E3372.

Whereas shopping via the motive force information put in by the dongle on his Mac OSX machine, the researcher got here throughout the next file which might auto-run each time the USB dongle was plugged in:


On plugging within the USB system, this file would open up an online browser with Huawei’s system administration interface.

On a more in-depth look, nevertheless, Rakhmanov seen this “mbbserviceopen” file ran with full permissions (777):

huawei vulnerability
The mbbserviceopen file had full learn/write/execute permissions for all customers (Trustwave)

And that is problematic.

“All a malicious person must do is to exchange the file with its personal code and await a official person to start out utilizing the mobile information service through Huawei system,” says Rakhmanov.

Privilege escalation assaults depend on a person with restricted entry to a system having the ability to receive the next stage of entry, in a bootleg method—akin to via a vulnerability exploit, or improper permissions on shared information.

As a result of this explicit vulnerability depends on tampering with the Huawei driver software program put in on a pc, native or bodily entry to the pc is required, making this a case of native privilege escalation. 

BleepingComputer reached out to Trustwave to get some insights on the vulnerability:

“The essence of this vulnerability is that one person, even an unprivileged one, can run code as one other person on a multiuser system when the dongle is inserted,” Rakhmanov informed BleepingComputer in an e-mail interview.

Rakhmanov additional defined that if a laptop computer utilizing Huawei’s USB system is being utilized by completely different staff—for instance, one on the day shift, and one other on the evening shift, the evening shift worker can successfully substitute the official mbbserviceopen file simply with malware, akin to a password stealer.

“With this vulnerability, the evening shift supervisor can write a easy script that may first run a password stealer after which run the unique Huawei executable that was used initially.”

“Then every time the supervisor plugs within the dongle, the password stealer will begin, after which web connectivity will probably be established.”

“For the reason that password stealer is invisible, the supervisor will imagine they’re having the identical person expertise – similar to some other day – whereas in observe, the password stealer will probably be used to steal passwords,” Rakhmanov additional defined to BleepingComputer.

In different circumstances, the researcher states malware can exploit this vulnerability to cross person boundaries.

Trustwave has issued a security advisory and a blog post detailing the vulnerability.

Huawei points remediation directions

BleepingComputer additionally noticed the motive force accessible from Huawei’s web site, didn’t have this flaw as of right now:

huawei vulnerability fixed
“Hilink” drivers obtained from Huawei’s web site setup the “mbbserviceopen” file with applicable permissions
Supply: BleepingComputer

Huawei confirmed to BleepingComputer that they’d accepted this as a vulnerability and issued an advisory with the remediation directions.

Huawei has suggested customers of its USB LTE dongle (E3372) to acquire the “Hello Hyperlink” driver information from their website to resolve this vulnerability.

“Buyer safety is Huawei’s prime precedence and like all accountable companies if vulnerabilities are found we encourage folks to report them to our Product Safety Incident Response Staff – PSIRT@huawei.com,” a Huawei spokesperson informed BleepingComputer.

Source link