facebook facebook twitter rss

«Ucell» - trade mark FE «COSCOM» LLC

Author: Hadji Samir , Published: 24-12-2014
# Exploit Author: Hadji Samir s-dz@hotmail.fr

# Date: 21/12/14

#Vendor: «Ucell» - trade mark FE «COSCOM» LLC

#Product Web Page: http://ucell.uz/en/subscribers/devices/modems/upgrade_your_modem

#Tested on: Microsoft Windows 7 32bit


"Ucell"application for users to support mobile broadband
(3G) activation for du service provider with systems containing
one of thesupported devices. It lets you access du wireless internet
wherever you are and whenever you need it, all powered through
your mobile data SIM or simply by connecting your 3G USB stick
to your device.

Desc: The application is vulnerable to an elevation of privileges
vulnerability which can be used by a simple user that can change
the executable file with a binary of choice. The vulnerability
exist due to the improper permissions, with the 'F' flag (full)
for the 'Everyone'(Tout le monde:F) and 'Users' group, for the all
binary file. The files are installed in the 'Ucell Internet'
directory which has the Everyone group assigned to it with full
permissions making every single file inside vulnerable to change
by any user on the affected machine. After you replace the binary
with your rootkit, on reboot you get SYSTEM privileges.



C:\Users\s-dz\Desktop>cacls "C:\Program Files\Ucell Internet"
C:\Program Files\Ucell Internet Tout le monde:F
Tout le monde:(OI)(CI)(IO)F
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
AUTORITE NT\Système:(ID)F
AUTORITE NT\Système:(OI)(CI)(IO)(ID)F
BUILTIN\Administrateurs:(ID)F
BUILTIN\Administrateurs:(OI)(CI)(IO)(ID)F
BUILTIN\Utilisateurs:(ID)R
BUILTIN\Utilisateurs:(OI)(CI)(IO)(ID)(accès spécial :)
GENERIC_READ
GENERIC_EXECUTE

CREATEUR PROPRIETAIRE:(OI)(CI)(IO)(ID)F


C:\Users\s-dz\Desktop>accesschk.exe -dqv "C:\Program Files\Ucell Internet"
C:\Program Files\Ucell Internet
Medium Mandatory Level (Default) [No-Write-Up]
RW Tout le monde
FILE_ALL_ACCESS
RW NT SERVICE\TrustedInstaller
FILE_ALL_ACCESS
RW AUTORITE NT\SystÞme
FILE_ALL_ACCESS
RW BUILTIN\Administrateurs
FILE_ALL_ACCESS
R BUILTIN\Utilisateurs
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_EA
FILE_TRAVERSE
SYNCHRONIZE
READ_CONTROL

C:\Users\s-dz\Desktop>

Like us on Facebook :