As part of its effort to protect Windows 10 from the next WannaCry, security researchers at Microsoft discovered a buggy Huawei utility that could have given attackers a cheap way to undermine security of the Windows kernel.
Microsoft has now detailed how it found a severe local privilege escalation flaw in the Huawei PCManager driver software for its MateBook line of Windows 10 laptops. Thanks to Microsoft’s work, the Chinese tech giant patched the flaw in January.
As Microsoft researchers explain, third-party kernel drivers are becoming more attractive to attackers as a side-door to attacking the kernel without having to overcome its protections using an expensive zero-day kernel exploit in Windows.
The flaw in Huawei’s software was detected by new kernel sensors that were implemented in the Windows 10 October 2018 Update, aka version 1809.
The sensors are part of Microsoft’s response to the WannaCry malware outbreak of 2017, which caused havoc in the UK’s National Health Service and infected about 200,000 Windows PCs around the world. The malware was attributed to North Korean hackers.
Specifically, the sensors are designed to catch malware like DoublePulsar, a backdoor implant created by US National Security Agency hackers that was leaked by The Shadow Brokers in early 2017. DoublePulsar runs in kernel mode and was the vehicle for delivering WannaCry, copying the malware from the kernel to user-space.
The kernel sensors are meant to address the difficulty of detecting malicious code running in the kernel and are designed to detect user-space asynchronous procedure call (APC) code injection from the kernel.
Microsoft Defender ATP anti-malware uses these sensors to detect actions caused by kernel code that may inject code into user-mode.
Huawei’s PCManager triggered Defender ATP alerts on multiple Windows 10 devices, prompting Microsoft to launch an investigation.
“Hunting led us to the kernel code that triggered the alert. One would expect that a device management software would perform mostly hardware-related tasks, with the supplied device drivers being the communication layer with the OEM-specific hardware,” explains Amit Rapaport, a researcher on the Microsoft Defender ATP team.
“So why was this driver exhibiting unusual behavior? To answer this question, we reverse-engineered HwOs2Ec10x64.sys.”
The investigation led the researcher to the executable MateBookService.exe. Due to a flaw in Huawei’s ‘watchdog’ mechanism for HwOs2Ec10x64.sys, an attacker is able to create a malicious instance of MateBookService.exe to gain elevated privileges.
The flaw can be used to make code running with low privileges read and write to other processes or to kernel space, leading to a “full machine compromise”. Microsoft used ‘process hollowing‘, a popular trick used by malware authors, to demonstrate the flaw.
“An attacker-controlled instance of MateBookService.exe will still be granted access to the device \.HwOs2EcX64 and be able to call some of its IRP functions. Then, the attacker-controlled process could abuse this capability to talk with the device to register a watched executable of its own choice,” explains Rapaport.
“Given the fact that a parent process has full permissions over its children, even a code with low privileges might spawn an infected MateBookService.exe and inject code into it.”
According to Huawei’s advisory, an attacker can exploit the flaw by tricking a users run a malicious app. The flaw has a severity score of 7.3 out of a possible 10.
“Successful exploitation may cause the attacker to execute malicious code and read/write memory,” Huawei notes.