Huawei Technologies du Mobile Broadband 16.0 Local Privilege Escalation

Title: Huawei Technologies du Mobile Broadband 16.0 Local Privilege Escalation
Advisory ID: ZSL-2013-5164
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 19.12.2013
Summary
du Mobile Broadband is a shareware application for du EITC UAE users to support mobile broadband (3G) activation for du service provider with systems containing one of the supported devices. It lets you access du wireless internet wherever you are and whenever you need it, all powered through your mobile data SIM or simply by connecting your 3G USB stick to your device.
Description
The application is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (full) for the 'Everyone' and 'Users' group, for the 'du Mobile Broadband.exe' binary file. The files are installed in the 'du Mobile Broadband' directory which has the Everyone group assigned to it with full permissions making every single file inside vulnerable to change by any user on the affected machine. After you replace the binary with your rootkit, on reboot you get SYSTEM privileges.
Vendor
Huawei Technologies Co., Ltd. - http://www.huawei.com
Affected Version
16.002.03.16.124
Tested On
Microsoft Windows 7 Ultimate SP1 (EN) 64bit
Vendor Status
N/A
PoC
dumb_pe.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://cxsecurity.com/issue/WLB-2013120140
[2] http://packetstormsecurity.com/files/124557
[3] http://xforce.iss.net/xforce/xfdb/89907
[4] http://www.exploit-db.com/exploits/30477/
[5] http://www.securityfocus.com/bid/64523
[6] http://www.vfocus.net/art/20131225/11294.html
[7] http://osvdb.org/show/osvdb/90090
Changelog
[19.12.2013] - Initial release
[25.12.2013] - Added reference [1], [2], [3] and [4]
[26.12.2013] - Added reference [5] and [6]
[05.01.2014] - Added reference [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk