[German]Microsoft has found two serious vulnerabilities in a driver and in PC Manager for Windows, both provided by Chinese company Huawei. These vulnerabilities allow local privileges escalation. Updates are available since in January 2019.
Advertising
Microsoft has released now some details about the vulnerabilities within the blog post From alert to driver vulnerability: Microsoft Defender ATP investigation unearths privilege escalation flaw.
Flaw in Huawei driver
A vulnerability in a signed third-party driver could have serious consequences. Such a vulnerability can be exploited by attackers to increase privileges or, more often, bypass driver signature enforcement.
Microsoft has found such a vulnerability in Huawei's PCManager for Windows. Initially the got a warning from the kernel sensors of Microsoft Defender Advanced Threat Protection. Because starting with Windows 10, version 1809, the kernel was equipped with new sensors. These sensors were developed to track the user APC code injection initiated by a kernel code and thus gain a better overview of kernel threats such as DOUBLEPULSAR.
When investigating the warning mentioned above, Microsoft came across a device management driver HwOs2Ec10x64.sys developed by Huawei. The analysis of the driver showed that it had a design error. This would have allowed an attacker local escalation of privileges.
And ther was a 2nd vulnerability
While investigating the above issue, which is described in detail in the above linked Microsoft blog post, another bug was discovered. There was an IOCTL handler that was used by the MateBookService.exe process (probably when starting the service).
Advertising
If an attacker controls an instance of MateBookService.exe, he get access to the \\.\HwOs2EcX64 device and can call some of its IRP functions. Then the attacker-controlled process could abuse this capability to communicate with the device and register a monitored executable of his choice. The CVE-2019-5242 vulnerability allows an attacker to execute malicious code and read/write memory.
Huawei wrotes within a security advisory, that both bugs have already been fixed on January 9, 2019. Users are recommended to update PCManager to version 9.0.1.70 in China and to 9.0.1.66 in overseas markets.
