2020-05-04 09:45 | Simon van Beest & Mads Joensen

CVE-2020-8948: Local privilege escalation in Sierra Wireless EM7455

Whenever we take on a new client here at Danish Cyber Defence, we are always interested in reviewing what kind of third-party providers (for both software and hardware) they have on their laptops. We trust these providers with our computer's security, which is why they are often subject to our attention in engagements. Not too long ago, we came across the Sierra Wireless EM7455 network module. In our investigation we discovered a local privilege escalation which we report in this post.

Issue

After installing Sierra Wireless EM7455 with executable nz1wn12w.exe, the folder C:\ProgramData\Sierra Wireless\ is created for logging purposes. When a folder is created on Windows it inherits the permissions of the parent directory, which in this case is C:\ProgramData\. The ProgramData folder in Windows 10 specifies permissions for the Users group. Permissions which contain an entry giving the unprivileged user the ability to write files (not overwrite or edit) within this directory. In the screenshot below we see that this is the case specifically for the two directories C:\ProgramData\Sierra Wireless\Logs\GobiApi Archived Logs\ and C:\ProgramData\Sierra Wireless\Logs\:

ProgramData permission inheritance

In itself these permissions are not a security issue, but they should be cause for concern. One small mistake in the way the software uses these folders, could allow an attacker to compromise the system. Looking for such mistakes we inspected the behaviour of SwiService.exe in Sysmon. This is a process spawned by the Sierra Wireless EM7455 software, and it runs as NT AUTHORITY/SYSTEM which is the highest privileged account on a Windows 10 computer. Creating and inspecting the bootlog from Sysmon revealed that this process reads and manipulates files in the directories discussed previously. This peaked our interest, and we started looking into the purpose behind these actions. It turns out that SwiService.exe copies the log files from C:\ProgramData\Sierra Wireless\Logs\ into C:\ProgramData\Sierra Wireless\Logs\GobiApi Archived Logs\ on every reboot. Two directories in which an unprivileged user has write permissions. It will copy files prefixed with GobiApi-SwiService and with the .tbd extension. This means that an unprivileged user can create a file with this naming convention in the Logs directory, with arbitrary content, and SwiService.exe will copy it to the GobiApi Archived Logs directory using SYSTEM privileges. Exactly what is seen in the three Sysmon events below with GobiApi-SwiService malicious.tbd as the file being copied.

SwiService WriteFile as SYSTEM

Now, we have managed to write a file with arbitrary content, but to a specific (and not particularly harmful) target location. Extending this with an arbitrary target location can be done using hardlinks. To do this, we create a hardlink at the end of our file copy, pointing to any location on the computer. The file copy done by SwiService.exe with SYSTEM privileges will now copy a file from the Logs directory into the GobiApi Archived logs directory, and find that there is a hardlink at the target location. It will follow this hardlink, and overwrite the file whereever this link points. In conclusion we can now create an arbitrary file with arbitrary content, and overwrite any location using SYSTEM privileges. It is trivial to escalate privileges using this arbitrary overwrite.

Steps to reproduce

The following steps will utilize the security issue above, to overwrite dpnsvr.exe with the contents of GobiApi-SwiService malicious.tbd.

  1. Download the symbolic link testing tools by James Forshaw.
  2. Create a file with malicious content with the following command:
    echo malicious_code > "C:\ProgramData\Sierra Wireless\Logs\GobiApi-SwiService malicious.tbd"
  3. Create hardlink to target file:
    CreateHardlink.exe "C:\ProgramData\Sierra Wireless\Logs\GobiApi Archived Logs\GobiApi-SwiService malicious.tbd" "C:\Windows\SysWOW64\dpnsvr.exe"
  4. Reboot the computer.
  5. Verify that target file "C:\Windows\SysWOW64\dpnsvr.exe" was overwritten with the contents of "C:\ProgramData\Sierra Wireless\Logs\GobiApi Archived Logs\GobiApi-SwiService malicious.tbd".

Responsible Disclosure

In our best efforts to follow the practice of responsible disclosure, we reported this issue privately to Sierra Wireless. Additionally we reported the issue to Lenovo, as we found it on a Lenovo computer and as they are one of the major distributors of the driver. However this vulnerability would apply to any PC that uses this Sierra Wireless driver. Both parties cooperated in a timely and professional manner, resulting in a fix for the issue along with advisories from Sierra Wireless and Lenovo:

Sierra Wireless advisory
Lenovo advisory

Below is a timeline of the disclosure process:

21.01.2020Initial contact to Lenovo PSIRT reporting the vulnerability
21.01.2020Lenovo PSIRT responds and their development team continues to review the issue
30.01.2020Lenovo PSIRT refers to Sierra Wireless security team
31.01.2020Sierra Wireless confirms vulnerability and begins remediation planning
12.02.2020Sierra Wireless reaches out to discuss remediation plan
12.02.2020We respond with notes on the remediation plan
12.02.2020Sierra Wireless reserves CVE
24.02.2020Sierra Wirelesss begins work with PC-OEM partners privately
23.03.2020PC-OEM partners inform Sierra Wireless they are prepared for disclosure
24.03.2020Sierra Wireless proposes coordinated publication plan
14.04.2020All three parties publish

Contact us

+45 3113 7316

[email protected]

Vester Farimagsgade 41, 1606 Copenhagen V

Consulting | Training | Blog | About

© 2020 Danish Cyber Defence A/S · Vester Farimagsgade 41 · 1606 Copenhagen V · CVR 38871064