
Microsoft finds privilege escalation vulnerability in Huawei driver - trtobe
https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/
======
pbhjpbhj
From scanning the page it sounds like Huawei used a hack to make their
MateBookService unkillable, unremovable, by unhooking in to services.exe. That
in the process of that they left the possibility that the device they were
using HwOs.*\\.sys was only protected from being used by checking the program
had the right path, thus leaving it open to crackers (it being basically g+rw)
to use to get the ring-0 permissions needed to run the "stay resident"-type
hack Huawei were using. And that in turn meant a process could overwrite
MateBookService and gain it's own privelege escalation??

Am I close, if so: is there evidence that Huawei were using that access
maliciously or was it just "to make sure their 'management software' retained
it's place in the OS"??

We're talking about computers manufactured by Huawei here? Surely they can run
code at a far lower level, is this MS and Huawei fighting over which of them
"owns" the users computer?

[Slight aside: The MS page reads a lot like an advert. Nice link through to a
page that itself has "start trial or buy" up top above the hero shot. Name
drops some big vulns, Wannacry, DoublePulsar. Devalues the piece IMO because
it seems the reason for them doing the work is solely to create an advert.]

~~~
wyattpeak
Not addressing the main point but the aside - I like it when companies have a
clear financial interest in solving a problem.

Sure I get the warm fuzzies when a company like Google circa 2005 does
something to help people with nothing obvious to gain from it. But in my
experience companies like Google circa 2005 tend to become companies like
Google circa 2019. People acting in their own interest are reliable.

~~~
DanielBMarkham
Apologies for digressing, but this is an important point.

Instead of the facile happytalk "Don't Be Evil", a much better slogan might be
"Be as evil as you want, just don't hide anything from me and let's have an
open and honest relationship"

Companies keep using the average user's technology ignorance against them.
That was kinda cool and probably acceptable when you were the smart kid making
a few dollars here or there, everybody loves the story of some genius hacker
able to figure out the stock market and made a small fortune on a stunt they
could never repeat, but this has gotten completely out of hand. It's gotta
stop. We need to start acting in the user's best interests _as if they knew as
much about the business as we do_. That's the only ethical way forward from
here.

~~~
mortb
Word. I very much miss a serious ethical discussion in the tech crowd that I
see myself as part of, being a developer. I think we should admit that we are
part of a technocracy. If you know the tech you may pull any stunt off, even
when you're a big company. The people that need question our actions are not
likely to understand the problem.

To cut short to my conclusion: We should be more humble about our less tech
educated users and act accordingly.

------
lostmsu
Original source, much better info + technical details:
[https://www.microsoft.com/security/blog/2019/03/25/from-
aler...](https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-
driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-
escalation-flaw/)

~~~
dang
Ok, we've changed the URL to that from
[https://www.theepochtimes.com/microsoft-finds-backdoor-in-
hu...](https://www.theepochtimes.com/microsoft-finds-backdoor-in-huawei-
laptops-that-could-give-hackers-access_2863926.html).

------
zvrba
Weird approach by Huawei. If you want a program to stay up and running, you
write a windows service; autostart with restart for recovery in case of crash.
The service process can set its own DAC so that only SYSTEM can open its
handle, hence the process in inaccessible/unkillable to ordinary users, even
administrators.

The knowledge needed to do so is far less than what is needed to pull the hack
that Huawei did.

So to quote another user:

> Problem: any well written exploit will be designed to look like a mistake.

and given the above, I'm inclined to believe that this was meant as a deniable
exploit ("honest mistake").

What I wrote above is what I miss in the MS's analysis. There are cleaner and
simpler ways to achieve what Huawei tried to accomplish. I would be astonished
that the person(s) having knowledge to write a kernel driver don't know about
DACLs and how to use them to prevent tampering with a process.

EDIT: The article does end with guidelines. However, I'd be more happy if MS
explicitly wrote "They should have done THIS (using exising, well-documented,
UM only OS functionality) instead to achieve their goal."

~~~
londons_explore
Perhaps they wanted the service killable, but for it to always restart?

Considering the physical memory mapping stuff, I wouldn't be surprised if the
service doesn't have some roles firmware should have had - for example
ensuring the battery charger is stopped when the battery is fully charged to
prevent a fire.

~~~
YawningAngel
That isn't a safe approach, as your laptop becomes a file hazard as soon as
you install any other OS (even clean windows!). I'm not sure that this is a
more robust mechanism for achieving that outcome than a Windows service in any
case.

~~~
HeWhoLurksLate
Perhaps in hardware?

------
mortb
Maybe, as some posters in this thread are suggesting, this should not be read
as a PR article. This should be read as a "Huawei (and others) we are watching
you. Stop doing those things we are able to spot your doings, and we are
willing to show the world". Of course the article touts about the ability of
defender and their forensics team, but there is definitely a possibility that
another message is being conveyed. As I am working mostly in web etc I have no
experience in writing drivers so this is quite a few software layers below my
comfort zone. However, to me having read the article, it seems that the
"Watchdog" goal achieved by Huawei's code is done in such a round about
fashion that is either a combination of "skilled but sloppy programmer" or
"skilled and not sloppy but wanting to be perceived as sloppy". Some context,
WannaCry and DOUBLEPULSAR are mentioned several times. Read about the NSA
backdoors:
[https://en.wikipedia.org/wiki/EternalBlue](https://en.wikipedia.org/wiki/EternalBlue)
[https://en.wikipedia.org/wiki/DoublePulsar](https://en.wikipedia.org/wiki/DoublePulsar)

Etrnal Blue was leaked from NSA and developed into WannaCry

~~~
mortb
Another piece of context, the article says that the issue was resolved
together with Huawei. Why then make a publicly available article about it
naming the company? Why not just patch and pretend that there were no issue,
or patch and with a more generic description "we have implemented a mechanism
to monitor drivers that might try to execute arbitrary code"?

~~~
tastroder
That happens all the time as it's relatively normal to do so in this type of
disclosure . With the political focus on Huawei these days it's likely just
people noticing this message more than others, it's not like other big
manufacturers show better security practices. With Huawei in particular, MS as
a US company really couldn't have omitted the name from the disclosure without
being put in a weird spot later down the road.

While I agree with other posters that the wording of this disclosure is
unnecessarily mixed with a PR piece, naming companies for me is crucial as it
allows end users to assess their own impact o f a vulnerability and also puts
a public track record on these vendors.

------
saagarjha
Better article: [https://www.microsoft.com/security/blog/2019/03/25/from-
aler...](https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-
driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-
escalation-flaw/)

~~~
dang
Changed now. Thanks!

------
Jonnax
Is there any value in these driver add-on tools that manufacturers ship?

Like printer drivers they seem to be badly coded messes that create attack
surfaces.

For a typical laptop everything except bios updates can be got straight from
the vendor of the component.

I'm surprised microsoft haven't started distributing stuff like GPU, Chipset
and other drivers themselves.

~~~
allset_
With Win10 they do ship those drivers through Windows updates.

~~~
kiwijamo
They’ve done it for previous versions as well. I think that practice goes back
to Vista at the very least.

~~~
rincebrain
It started in Vista, AFAIK, but it didn't really become reliably useful for
_most_ of the drivers on even relatively common hardware configurations until
7, and even now it's still not complete (I installed a Coffee Lake-era Intel
desktop with Win10, and I still got to play Hunt the Unknown Device Driver
even after the endless reboots for updating had installed every driver Windows
Update offered, and that's for onboard peripherals, not a fly-by-night USB
device or PCIe card.)

~~~
chronogram
For future people with troubles you could go try sdi-tool.org which works nice
for me and a lot of friends for years now.

------
jorblumesea
Given China's preponderance to mass surveillance and Huawei's obvious ties to
the state, it's probably smart to take a critical look at anything they write.
Willful ignorance and incompetence or cleverly crafted vuln with plausible
deniability?

I guess, does it even matter at that point if you get ring-0 permissions?
Probably shouldn't ever use their products regardless of the cause.

~~~
monocasa
The thing already had ring 0 permissions, the code with the bug in it is a
kernel driver.

------
msie
Backdoor is such a loaded word to use for a vulnerability. Especially since
Huawei is involved. Shame on the person who came up with the title and the
reporter who uses the term in the article.

~~~
stefan_
There is no valid reason, ever, for a driver to do what the Huawei driver did
here. That should be obvious given the detection methods that Microsoft
implemented in the kernel to find and prevent just this behavior.

The Microsoft blog might stop short of calling it malware, but I think we
don't need the faux politeness here. The fact that their malware also
contained a privilege escalation (the "vulnerability") is merely icing on the
cake.

~~~
monocasa
I mean, it's goofy, hacky, and has obvious security flaws but doesn't look
malicious. Calling it a "backdoor" ascribes a certain intentionality to the
vulnerability that's not clear is warranted. It's about the code quality I
expect from the management shovelware that comes preloaded on laptops from any
major brand.

Source: I've written kernel drivers and exploits.

~~~
stefan_
What is not malicious about a driver whose pure function (this thing literally
has no other _value_ or purpose) is maintaining an invincible NT_AUTHORITY
process of their pre-installed management software? And achieving that by
allocating a RWX page in services.exe? What are we even doing W^X for?

Maybe we have different expectations of what a _driver_ is. Take a look for
yourself, even the updated PC Manager Software on their website still has the
driver with the goofy shellcode in its installer (no idea if it's just not
loaded now):

[https://consumer.huawei.com/us/support/pc/matebook-x-
pro/](https://consumer.huawei.com/us/support/pc/matebook-x-pro/)

~~~
dfox
Writing "drivers" that do questionable things for even more questionable
reasons seems to be par for the course in the Windows ecosystem. If I
understand the whole situation correctly, Fortnite installs WHQL certified
kernel driver, whose sole purpose is to cause BSOD when LSASS.EXE maps pages
from the Fortnite process...

~~~
wyldfire
Is that an anti-cheat feature?

------
jaclaz
I may be cynical but:

>Our discovery of the driver vulnerabilities also highlights the strength of
Microsoft Defender ATP’s sensors. These sensors expose anomalous behavior and
give SecOps personnel the intelligence and tools to investigate threats, as we
did.

>Anomalous behaviors typically point to attack techniques perpetrated by
adversaries with only malicious intent. In this case, they pointed to a flawed
design that can be abused. Nevertheless, Microsoft Defender ATP exposed a
security flaw and protected customers before it can even be used in actual
attacks.

Seems to me a lot like "the ATP sensors and the SecOps did what they are
supposed to do" followed by some self-patting/self-applauding on how good the
MS technology and guys are good at it.

------
ngcc_hk
It is not what they can do now and be fixed but what tubes can do in the
future.

But can each country has their own manufactured computer and os? Or region?

------
Uhrheber
Mcrosoft! Finding a privilege Escalation! In someone else's software!

The world is turned upside down.

------
brianpgordon
So these "alerts" are coming from Microsoft's cloud-powered anti-malware
service? It's kind of disturbing that they have enough data on Microsoft
servers to conduct such an in-depth after-the-fact investigation of events on
an endpoint machine. Are businesses really OK with sharing telemetry on this
level?

------
kobi7
so many spies... Why are they afraid of saying that China is trying to spy and
steal your intellectual property. It's an established fact by now.

