Whenever we take on a new client here at Danish Cyber Defence, we are always interested in reviewing what kind of third-party providers (for both software and hardware) they have on their laptops. We trust these providers with our computer's security, which is why they are often subject to our attention in engagements. Not too long ago, we came across the Sierra Wireless EM7455 network module. In our investigation we discovered a local privilege escalation which we report in this post.
After installing Sierra Wireless EM7455 with executable nz1wn12w.exe, the folder C:\ProgramData\Sierra Wireless\
is created for logging purposes.
When a folder is created on Windows it inherits the permissions of the parent directory, which in this case is C:\ProgramData\
.
The ProgramData folder in Windows 10 specifies permissions for the Users group. Permissions which contain an entry giving the unprivileged user the ability to write files (not overwrite or edit) within this directory.
In the screenshot below we see that this is the case specifically for the two directories C:\ProgramData\Sierra Wireless\Logs\GobiApi Archived Logs\
and C:\ProgramData\Sierra Wireless\Logs\
:
In itself these permissions are not a security issue, but they should be cause for concern.
One small mistake in the way the software uses these folders, could allow an attacker to compromise the system.
Looking for such mistakes we inspected the behaviour of SwiService.exe in Sysmon.
This is a process spawned by the Sierra Wireless EM7455 software, and it runs as NT AUTHORITY/SYSTEM which is the highest privileged account on a Windows 10 computer.
Creating and inspecting the bootlog from Sysmon revealed that this process reads and manipulates files in the directories discussed previously.
This peaked our interest, and we started looking into the purpose behind these actions. It turns out that SwiService.exe copies the log files from C:\ProgramData\Sierra Wireless\Logs\
into C:\ProgramData\Sierra Wireless\Logs\GobiApi Archived Logs\
on every reboot.
Two directories in which an unprivileged user has write permissions. It will copy files prefixed with GobiApi-SwiService and with the .tbd extension.
This means that an unprivileged user can create a file with this naming convention in the Logs directory, with arbitrary content, and SwiService.exe will copy it to the GobiApi Archived Logs directory using SYSTEM privileges.
Exactly what is seen in the three Sysmon events below with GobiApi-SwiService malicious.tbd as the file being copied.
Now, we have managed to write a file with arbitrary content, but to a specific (and not particularly harmful) target location. Extending this with an arbitrary target location can be done using hardlinks. To do this, we create a hardlink at the end of our file copy, pointing to any location on the computer. The file copy done by SwiService.exe with SYSTEM privileges will now copy a file from the Logs directory into the GobiApi Archived logs directory, and find that there is a hardlink at the target location. It will follow this hardlink, and overwrite the file whereever this link points. In conclusion we can now create an arbitrary file with arbitrary content, and overwrite any location using SYSTEM privileges. It is trivial to escalate privileges using this arbitrary overwrite.
The following steps will utilize the security issue above, to overwrite dpnsvr.exe with the contents of GobiApi-SwiService malicious.tbd.
echo malicious_code > "C:\ProgramData\Sierra Wireless\Logs\GobiApi-SwiService malicious.tbd"
CreateHardlink.exe "C:\ProgramData\Sierra Wireless\Logs\GobiApi Archived Logs\GobiApi-SwiService malicious.tbd" "C:\Windows\SysWOW64\dpnsvr.exe"
"C:\Windows\SysWOW64\dpnsvr.exe"
was overwritten with the contents of "C:\ProgramData\Sierra Wireless\Logs\GobiApi Archived Logs\GobiApi-SwiService malicious.tbd"
. In our best efforts to follow the practice of responsible disclosure, we reported this issue privately to Sierra Wireless. Additionally we reported the issue to Lenovo, as we found it on a Lenovo computer and as they are one of the major distributors of the driver. However this vulnerability would apply to any PC that uses this Sierra Wireless driver. Both parties cooperated in a timely and professional manner, resulting in a fix for the issue along with advisories from Sierra Wireless and Lenovo:
Below is a timeline of the disclosure process:
21.01.2020 | Initial contact to Lenovo PSIRT reporting the vulnerability |
21.01.2020 | Lenovo PSIRT responds and their development team continues to review the issue |
30.01.2020 | Lenovo PSIRT refers to Sierra Wireless security team |
31.01.2020 | Sierra Wireless confirms vulnerability and begins remediation planning |
12.02.2020 | Sierra Wireless reaches out to discuss remediation plan |
12.02.2020 | We respond with notes on the remediation plan |
12.02.2020 | Sierra Wireless reserves CVE |
24.02.2020 | Sierra Wirelesss begins work with PC-OEM partners privately |
23.03.2020 | PC-OEM partners inform Sierra Wireless they are prepared for disclosure |
24.03.2020 | Sierra Wireless proposes coordinated publication plan |
14.04.2020 | All three parties publish |