Recently, a serious privilege escalation flaw was found by Microsoft researchers in the PCManager driver software of Huawei. Besides, the arbitrary code execution vulnerabilities are also discovered. To know more details about these flaws, you should read this page with care.

Serious Privilege Escalation Flaw in Huawei PCManager Software

Security researchers of Microsoft are always working on protecting Windows 10 from virus and ransomware. Recently, they discovered a severe local privilege escalation flaw in a Huawei tool – PCManager driver software.

Click to see the ransomware prevention policy.

How Was the Flaw Discovered

At the same time, the code execution vulnerabilities are also found in the Huawei tool. It is said that the serious privilege escalation flaw and code execution flaw could offer attackers a cheap method for destroying the security of Windows kernel.

How these security bugs are found? Actually, it is because that the kernel sensors in Microsoft Defender’s Advanced Threat Protection (ATP) product find anomalous behavior which is related to the Huawei device management driver. The kernel sensors that discover the flaw are the new kernel sensors come with the Windows 10 October 2018 Update (also known as version 1809).

Microsoft Defender ATP

The Huawei PCManager driver software triggered the Defender ATP alerts on various devices that run Windows 10. Because of that, Microsoft starts an investigation in order to find out.

Hunting led us to the kernel code that triggered the alert. One would expect that a device management software would perform mostly hardware-related tasks, with the supplied device drivers being the communication layer with the OEM-specific hardware. So why was this driver exhibiting unusual behavior? To answer this question, we reverse-engineered HwOs2Ec10x64.sys.– said by Amit Rapaport, a researcher from the Microsoft Defender ATP team

By taking advantage of the flaw in Huawei’s watchdog mechanism for HwOs2Ec10x64.sys, the attackers can make it easy to acquire elevated privileges by building malicious instance of MateBookService.exe.

By taking advantages of the flaw, the code will run and it will be accompanied by low privileges read and write to kernel space (or other processes). This will result in a full machine compromise. Microsoft adopts the popular trick – process hollowing – to testify the flaw.

An attacker-controlled instance of MateBookService.exe will still be granted access to the device \\.\HwOs2EcX64 and be able to call some of its IRP functions. Then, the attacker-controlled process could abuse this capability to talk with the device to register a watched executable of its own choice. Given the fact that a parent process has full permissions over its children, even a code with low privileges might spawn an infected MateBookService.exe and inject code into it.– continued Rapaport

According to Huawei, the privilege escalation flaw could be used by attackers to lure users to run malicious app. So it is a serious problem, with a severity score of 7.3 (out of a possible 10).

Windows Kernel Sensors

Nowadays, it is undeniable that the third-party kernel drivers become the target of more and more attackers. By taking it as a side-door, the attackers are able to damage the kernel, bypassing the protections without using an expensive zero-day kernel exploit in Windows.

Tip: Windows Patches Zero-day Vulnerability, But Windows Still Vulnerable.

In 2017, the WannaCry malware outbreak had a serious impact in the National Health Service of UK. According to statics, about 200,000 Windows PCs all over the world are influenced. This incident was finally determined to have been caused by North Korean hackers. Later, Microsoft uses sensors as its partial response to the malware attacks.

As for how to recover files which have been removed by virus, this post offers you a good answer:

Full Guide: Recover Files Deleted by Virus Attack
Full Guide: Recover Files Deleted by Virus Attack

Can you recover files deleted by virus attack? Definitely, you can. Here are several solutions to help you recover files quickly and safely.

Read More

What’s the Function of Sensors

To be specific, an important reason why sensors are designed is to catch malware like DoublePulsar; it is a backdoor implant appeared in 2017 and leaked by The Shadow Brokers. Being the tool for delivering WannaCry, the DoublePulsar actually run in the kernel mode to copy malware from kernel to the space of users.

In fact, sensors have been applied to the Microsoft Defender ATP anti-malware. Why? That is because kernel code may lead to some actions that will inject code into the user-mode and sensors should be responsible for detecting them.

  • linkedin
  • reddit

About The Author

Sarah

Position: Columnist

Sarah has been working as an editor at MiniTool since she graduated from university. Sarah aims at helping users with their computer problems such as disk errors and data loss. She feels a sense of accomplishment to see that users get their issues fixed relying on her articles. Besides, she likes to make friends and listen to music after work.