Microsoft just discovered a troublesome Huawei PC product that could have granted attackers with an easy way to temper with Windows kernel.
According to Huawei’s advisory, “there is a privilege escalation vulnerability in Huawei PCManager product”. An attacker could trick a user to install and run a malicious application to exploit the bug and gain higher privileges.
However, that’s not the only vulnerability which was addressed. There is also a code execution vulnerability in Huawei PCManager product, which could have been abused by attackers to execute malicious code and read/write memory.
How Did Microsoft Discover the Vulnerabilities in Huawei?
Starting in Windows 10, version 1809, Windows’ kernel has new sensors (Microsoft Defender Advanced Threat Protection’s kernel sensors) designed to trace User APC code injection initiated by a kernel code, which are meant to detect kernel threats such as [wplinkpreview url=”https://sensorstechforum.com/yatron-raas-extension-eternalblue/”] the DOUBLEPULSAR exploit. The DOUBLEPULSAR is a kernel backdoor used by the WannaCry ransomware to inject the main payload into user-space.
So, Microsoft Defender Research Team discovered a driver while investigating an alert raised by these sensors. The team traced the anomalous behavior to a device management driver developed by Huawei. Later on, they found a lapse in the design that led to a vulnerability that could allow local privilege escalation.
Microsoft promptly reported the vulnerability identified as CVE-2019-5241 to Huawei, who responded quickly and on January 9, 2019, a fix was released.
As for the other vulnerability, CVE-2019-5242, the researchers from Microsoft also discovered that “the driver provided a capability to map any physical page into user-mode with RW permissions”:
Invoking this handler allowed a code running with low privileges to read-write beyond the process boundaries—to other processes or even to kernel space. This, of course, means a full machine compromise.
The two vulnerabilities discovered in a driver depict the importance of designing software and products with security in mind, Microsoft concluded.