From scanning the page it sounds like Huawei used a hack to make their MateBookService unkillable, unremovable, by unhooking in to services.exe. That in the process of that they left the possibility that the device they were using HwOs.*\.sys was only protected from being used by checking the program had the right path, thus leaving it open to crackers (it being basically g+rw) to use to get the ring-0 permissions needed to run the "stay resident"-type hack Huawei were using. And that in turn meant a process could overwrite MateBookService and gain it's own privelege escalation??
Am I close, if so: is there evidence that Huawei were using that access maliciously or was it just "to make sure their 'management software' retained it's place in the OS"??
We're talking about computers manufactured by Huawei here? Surely they can run code at a far lower level, is this MS and Huawei fighting over which of them "owns" the users computer?
[Slight aside: The MS page reads a lot like an advert. Nice link through to a page that itself has "start trial or buy" up top above the hero shot. Name drops some big vulns, Wannacry, DoublePulsar. Devalues the piece IMO because it seems the reason for them doing the work is solely to create an advert.]
Not addressing the main point but the aside - I like it when companies have a clear financial interest in solving a problem.
Sure I get the warm fuzzies when a company like Google circa 2005 does something to help people with nothing obvious to gain from it. But in my experience companies like Google circa 2005 tend to become companies like Google circa 2019. People acting in their own interest are reliable.
Apologies for digressing, but this is an important point.
Instead of the facile happytalk "Don't Be Evil", a much better slogan might be "Be as evil as you want, just don't hide anything from me and let's have an open and honest relationship"
Companies keep using the average user's technology ignorance against them. That was kinda cool and probably acceptable when you were the smart kid making a few dollars here or there, everybody loves the story of some genius hacker able to figure out the stock market and made a small fortune on a stunt they could never repeat, but this has gotten completely out of hand. It's gotta stop. We need to start acting in the user's best interests as if they knew as much about the business as we do. That's the only ethical way forward from here.
Word. I very much miss a serious ethical discussion in the tech crowd that I see myself as part of, being a developer. I think we should admit that we are part of a technocracy. If you know the tech you may pull any stunt off, even when you're a big company. The people that need question our actions are not likely to understand the problem.
To cut short to my conclusion: We should be more humble about our less tech educated users and act accordingly.
The problem is that most incentives can be gamed. There are good and bad ways to get customers to buy more or make the stock price go up.
People are smarter than metrics. Increase the incentives and you also increase the incentive to cheat. Sometimes the best you can do is insulate people from incentives, so people have the leeway to do the right thing without acting against their own best interest.
Well, that's why there's generally a difference between market incentives and regulatory incentives. In this case, I believe we are referring to market based incentives, where gaming them is of limited use because the market should respond to that gaming.
That said, regulatory incentives and punishments have their place too, IMO generally where the market isn't responding well, or information isn't available enough to allow for an efficient market, or as a response to some other regulatory market effects. But, as you noted, you'll often get some interesting behavior right at the edge of where the regulation kicks in because there's often a hard change instead of a gradual shift as an efficient market would allow.
If gaming the markets is of limited use, I wonder why market participants put so much effort into it?
I mean, consider Wall Street, Las Vegas, used car sales - the list goes on and on. It's a rich area of storytelling that goes back to the dawn of recorded history.
If you say what you mean by gaming the system with any of those, Wall Street, Las Vegas, used car sales, maybe I can respond intelligently. As it is, I'm not sure what you're referring to. Most things I think of that would be considered gaming the system to do with those have to do with human rules applied to a system, instead of emergent market economics, and that's what I was referring to.
There is gaming of markets, but I think generally if it's not based on some regulation, it's because of information asymmetry (which is a market inefficiency).
All I was trying to point out in the prior comment is that there are different kinds of incentives. There are incentives that are constructed, and there are incentives that are natural. Constructed incentives are much easier to game. Natural incentives are emergent. Microsoft is incentivized to have good security for their OS now by the market in general, because it hurts them to not have good security (compared the the bast, where they could get away with lax security until it became a problem). That's emergent from the market and people deciding to use or not use their product. I wouldn't consider that "gaming the system", and if they did game it by talking a lot about security but not actually doing much, eventually the market should note that and respond appropriately.
Alternatively, Microsoft can reduce their tax burden by shifting business entities to different countries and shuffling how it appears their profit is created, so it's registered in a country with very little taxes, leading them to pay fewer taxes (not that they do, I don't know. I believe Apple and Google are reputed to do this). That's based on rules set by people, such as country boundaries and tax rates. Doing this could be considered "gaming the tax system". It requires specific changes to the rules to fix, it won't just shift naturally.
To me it appeared the comment you were responding to originally was using "incentive" in the pure form, meaning "benefit for doing so", and it appeared you were referring to incentive in the regulatory sense, where it's a human construction to influence behavior, but that's only a subset of the meaning.
I guess it's because Defender ATP is basically some kind of cloud-service for security and because everyone is running Windows for everything it's targeted at managers or so. I have no idea how useful it is, but I guess they have some advanced techniques to detect certain attacks (like this one, or the dropped DoublePulsar) - If you have to defend some important Active Directory Setup it's probably not a bad deal.
It's still ironic that Huawei get's some free audit for their stuff now and it's sold as they are bad, while everything is terrible - I won't install Logitech software after this epic bug here: https://bugs.chromium.org/p/project-zero/issues/detail?id=16...
I just looked into that Logitech issue, it's interesting to note that contact was made with Logitech engineers in September. The engineers provided assurance that the issue was understood and would be fixed. Months pass... updates were released, none of which contained the security fix. December arrives and finally the vulnerability is made public, picked up by the media, and Logitech releases a fix within days.
It's a familiar pattern. If a large company were a biological organism, one of it's main pain signals would be negative PR. Prod the beast in other ways and it doesn't respond.
Meh, I just suspect they're not as forthcoming about bugs they find for their preferred hardware partners no matter how crazily bad they are. Partialism like that makes me distrust them, perhaps my skepticism falls the wrong way here, maybe I'm reading an undercurrent that's not there.
It's not a question of who owns the computer; the software was trying to do things that Microsoft totally agree with - so much so that Microsoft have a published "right way" of doing it.
Weird approach by Huawei. If you want a program to stay up and running, you write a windows service; autostart with restart for recovery in case of crash. The service process can set its own DAC so that only SYSTEM can open its handle, hence the process in inaccessible/unkillable to ordinary users, even administrators.
The knowledge needed to do so is far less than what is needed to pull the hack that Huawei did.
So to quote another user:
> Problem: any well written exploit will be designed to look like a mistake.
and given the above, I'm inclined to believe that this was meant as a deniable exploit ("honest mistake").
What I wrote above is what I miss in the MS's analysis. There are cleaner and simpler ways to achieve what Huawei tried to accomplish. I would be astonished that the person(s) having knowledge to write a kernel driver don't know about DACLs and how to use them to prevent tampering with a process.
EDIT: The article does end with guidelines. However, I'd be more happy if MS explicitly wrote "They should have done THIS (using exising, well-documented, UM only OS functionality) instead to achieve their goal."
Perhaps they wanted the service killable, but for it to always restart?
Considering the physical memory mapping stuff, I wouldn't be surprised if the service doesn't have some roles firmware should have had - for example ensuring the battery charger is stopped when the battery is fully charged to prevent a fire.
That isn't a safe approach, as your laptop becomes a file hazard as soon as you install any other OS (even clean windows!).
I'm not sure that this is a more robust mechanism for achieving that outcome than a Windows service in any case.
> Perhaps they wanted the service killable, but for it to always restart?
Then you use a DACL than gives only PROCESS_TERMINATE permission [1] to the desired group (Administrators, Users, …). If killed, service control manager will figure out that the program exited abnormally and restart it.
That doesn't kill dead locked processes, or processes that aren't listening on the management IF. You see this with services that can't be "sc stop"ed.
Maybe, as some posters in this thread are suggesting, this should not be read as a PR article. This should be read as a "Huawei (and others) we are watching you. Stop doing those things we are able to spot your doings, and we are willing to show the world". Of course the article touts about the ability of defender and their forensics team, but there is definitely a possibility that another message is being conveyed. As I am working mostly in web etc I have no experience in writing drivers so this is quite a few software layers below my comfort zone. However, to me having read the article, it seems that the "Watchdog" goal achieved by Huawei's code is done in such a round about fashion that is either a combination of "skilled but sloppy programmer" or "skilled and not sloppy but wanting to be perceived as sloppy".
Some context, WannaCry and DOUBLEPULSAR are mentioned several times. Read about the NSA backdoors: https://en.wikipedia.org/wiki/EternalBluehttps://en.wikipedia.org/wiki/DoublePulsar
Etrnal Blue was leaked from NSA and developed into WannaCry
Another piece of context, the article says that the issue was resolved together with Huawei. Why then make a publicly available article about it naming the company? Why not just patch and pretend that there were no issue, or patch and with a more generic description "we have implemented a mechanism to monitor drivers that might try to execute arbitrary code"?
That happens all the time as it's relatively normal to do so in this type of disclosure . With the political focus on Huawei these days it's likely just people noticing this message more than others, it's not like other big manufacturers show better security practices. With Huawei in particular, MS as a US company really couldn't have omitted the name from the disclosure without being put in a weird spot later down the road.
While I agree with other posters that the wording of this disclosure is unnecessarily mixed with a PR piece, naming companies for me is crucial as it allows end users to assess their own impact o f a vulnerability and also puts a public track record on these vendors.
I have a Matebook D.
The manager is useful to update your drivers all at once (plus your bios too).
It's the only program that comes with the laptop, so no bloatware. I've been happy with the laptop, and I don't think there is any malice here, just a stupid mistake, that they already have fixed it.
It started in Vista, AFAIK, but it didn't really become reliably useful for _most_ of the drivers on even relatively common hardware configurations until 7, and even now it's still not complete (I installed a Coffee Lake-era Intel desktop with Win10, and I still got to play Hunt the Unknown Device Driver even after the endless reboots for updating had installed every driver Windows Update offered, and that's for onboard peripherals, not a fly-by-night USB device or PCIe card.)
Given China's preponderance to mass surveillance and Huawei's obvious ties to the state, it's probably smart to take a critical look at anything they write. Willful ignorance and incompetence or cleverly crafted vuln with plausible deniability?
I guess, does it even matter at that point if you get ring-0 permissions? Probably shouldn't ever use their products regardless of the cause.
Backdoor is such a loaded word to use for a vulnerability. Especially since Huawei is involved. Shame on the person who came up with the title and the reporter who uses the term in the article.
There is no valid reason, ever, for a driver to do what the Huawei driver did here. That should be obvious given the detection methods that Microsoft implemented in the kernel to find and prevent just this behavior.
The Microsoft blog might stop short of calling it malware, but I think we don't need the faux politeness here. The fact that their malware also contained a privilege escalation (the "vulnerability") is merely icing on the cake.
I mean, it's goofy, hacky, and has obvious security flaws but doesn't look malicious. Calling it a "backdoor" ascribes a certain intentionality to the vulnerability that's not clear is warranted. It's about the code quality I expect from the management shovelware that comes preloaded on laptops from any major brand.
What is not malicious about a driver whose pure function (this thing literally has no other value or purpose) is maintaining an invincible NT_AUTHORITY process of their pre-installed management software? And achieving that by allocating a RWX page in services.exe? What are we even doing W^X for?
Maybe we have different expectations of what a driver is. Take a look for yourself, even the updated PC Manager Software on their website still has the driver with the goofy shellcode in its installer (no idea if it's just not loaded now):
> malicious - adj. - having or showing a desire to cause harm to someone
I'ts goofy, and wouldn't pass a design review that I was a part of, but it isn't "showing a desire to cause harm". It just looks like a rushed design.
> about a driver whose pure function (this thing literally has no other value or purpose)
I see nothing about how this driver doesn't have any other functions.
> is maintaining an invincible NT_AUTHORITY process of their pre-installed management software
Because you want the hardware management process to be resurrected if it fails. They're not gaining anything from an attack perspective by deferring to user mode, the process isn't hidden, and they're already running as a kernel driver so they have full control of the system as it is. In Raymond Chen's parlance, they're already on the other side of the airtight hatch.
> Maybe we have different expectations of what a driver is.
I mean, Minix ascribes it's uptime and reliability to a resurrection server. Is this a much crappier design? Yes. Is it such a bad design that it's malicious? No, that's absurd.
> Maybe we have different expectations of what a driver is.
I expect drivers to defer everything they can to user mode so they don't crash the kernel. That's one of the reasons why APCs exist in the first place.
> Take a look for yourself, even the updated PC Manager Software on their website still has the driver with the goofy shellcode in its installer (no idea if it's just not loaded now):
Oh no, they didn't take that out of their package, but even Microsoft says that they fixed the vulnerability, and quicker than responsible disclosure asks for.
> I see nothing about how this driver doesn't have any other functions.
Obviously, you didn't look at it.
This is the irony of it all. There is nothing simple about writing a device driver to do what literally three lines of code in userland registering a service could have achieved. It is the furthest thing from a rushed design you could possibly do; it is taking the wrong turn 10 times and incurring exponential costs each time. That is why it's called a backdoor or malicious; it demonstrates unique niche knowledge in things that are the furthest imaginable distance from the shitty .NET amalgamation that their actual PC manager software is.
Writing "drivers" that do questionable things for even more questionable reasons seems to be par for the course in the Windows ecosystem. If I understand the whole situation correctly, Fortnite installs WHQL certified kernel driver, whose sole purpose is to cause BSOD when LSASS.EXE maps pages from the Fortnite process...
On the other hand a reliable backdoor that also looks like sloppy code is better, as most of us are familiar with truly awful code it’s a nice layer of plausible deniability.
As the full saying goes.
Never attribute to malice what can be explained by stupidity...but don’t rule out malice.
Perhaps you should because the end result is the same, shit code sinks ships. Somebody could have written it intentionally or somebody could have been a dumbshit. Doesn't matter to me because now my computer is compromised.
The microsoft article mentions that Windows Defender caught multiple machines performing kernel injections near the same time with this driver as the root cause. Meaning it was already being exploited.
This doesn't mean the actual flaw was malicious, but being actively exploited, it seems intent doesn't really matter.
I don't see anything saying this was being actively exploited; the non malicious use case would set off their scanners on all MateBooks running this driver.
> While monitoring alerts related to kernel-mode attacks, one alert drew our attention:
>The alert process tree showed an abnormal memory allocation and execution in the context of services.exe by a kernel code. Investigating further, we found that an identical alert was fired on another machine around the same time.
This shows code injection taking place, via the exploited code. You are right that they don't mention what code was injected (probably they don't know)
Inspecting MateBookService.exe!main revealed a “startup mode” that revived the service if it’s stopped – some sort of watchdog mechanism meant to keep the Huawei PC Manager main service running.
I agree that it’s hard to prove malice, but why should any PC management software go out of their way to ensure that it never gets shut down?
>...because it’s the hardware management service and if it goes down you’re no longer managing the hardware?
I’m no expert on device drivers but to my knowledge, Windows already allows you to manage devices and install drivers through Device Managers.
Then if drivers are already installed for the various devices and hardware components, what exactly is the hardware management service managing on top of the individual drivers?
I am asking this as the only plausible reason to be doing this (at least for me) is if Windows isn’t providing enough tools for device management that needs coordination between the hardware components on the machine, so I would appreciate someone with more knowledge to shed some light on the subject.
Did I say that? The point is that it just because it looks like an "honest mistake" doesn't mean it is. If you were to create a backdoor, that's exactly how you'd want to do it.
Given the circumstances, one might wish to err on the side of caution.
Did your drivers also give usermode code the ability to map arbitrary memory addresses of the usermode code's choosing, thus granting full rw access to all memory pages in the system?
Either Huawei's driver developers are both incompetent and stupid or they're injecting malicious backdoors.
> Having been able to freely invoke IOCTL handlers of the driver from user-mode, we looked for other capabilities that can be abused. We found one: the driver provided a capability to map any physical page into user-mode with RW permissions. Invoking this handler allowed a code running with low privileges to read-write beyond the process boundaries—to other processes or even to kernel space. This, of course, means a full machine compromise.
Really? Because MS and others have stated what Huawei did here isn't unheard of.
This is simply news because it's Huawei and many want them to be guilty of backdooring US entities. Perhaps they are, but no more many other "respected" US companies.
Honest question: is it plausible that someone who is knowledgeable enough to understand and implement this exploit is also oblivious to ita exploitability?
Since you make a very strong claim on a very complex topic, would you mind if I asked you to share whether you have expertise / credentials on drivers and security?
Edit: I'm not sure if it's considered appropriate to ask for credentials on HN. There's one way to find out :)
A driver allowing to map any page is like recording a magician from all angles.
The only reasonable usage of such a situation is for the magician him/herself, to study his/her own performance. And even then, it is not usually done that way.
What is so complex about it? This is a very simple code injection technique ported to kernel space. Only, of course, there is essentially no use for code injection in any sort of production software.
Agreed, it looks like the driver is just trying to keep MateBookServices.exe alive in a dumb way.
My guess is someone had a hard time deciphering MSDN rather than some malicious motivation. I've had to wade through the CreateProcess and svchost docs before, the options and security restrictions are labyrinthine. I'm not sure how some Chinese engineer reading a translation could much better.
I'm all for assuming incompetence over maliciousness, but that requires a certain amount of goodwill and trust toward the perpetrator, which is something Huawei doesn't have.
Without stating a judgment one way or the other on the organization...
Epoch times is run by Falun Gong.
The Chinese official government line is that Falun Gong is an extremely dangerous cult that should be repressed. I've seen people on the English language internet intentionally comparing it to Jim Jones, David Koresh, etc.
In reality it seems to be more like a Chinese version of Scientology.
From what I've heard, Falun Gong is about making money too. It's basically "hey we'll help you and be real nice to you and help you get back on your feet. Now it's your turn to pay up with donations". Which seems better than scientology, I'd say it's most comparable to mormonism
As far as I know, among them, Falun Gong and The Church of Almighty God was making false promise about their ability of "getting people back on their feet".
I don't know why people here are suddenly on fire when saw me put Falun Gong and cult together. In China, we use word "神棍"[0] to describe someone who fake their supernatural ability and pretend to be the messenger of god. And the word was come out before CCP even a thing, that alone can tell you something does it?
Honestly, though, Falun Gong is barely even religious. Rather, it is Qi Gong practice with some "spirituality" bullshit. It's better compared to suburban yoga studios that sell smelly candles and "mindfulness" than Scientology, and it was actually pretty popular among PRC urbanites before the crackdown.
>Our discovery of the driver vulnerabilities also highlights the strength of Microsoft Defender ATP’s sensors. These sensors expose anomalous behavior and give SecOps personnel the intelligence and tools to investigate threats, as we did.
>Anomalous behaviors typically point to attack techniques perpetrated by adversaries with only malicious intent. In this case, they pointed to a flawed design that can be abused. Nevertheless, Microsoft Defender ATP exposed a security flaw and protected customers before it can even be used in actual attacks.
Seems to me a lot like "the ATP sensors and the SecOps did what they are supposed to do" followed by some self-patting/self-applauding on how good the MS technology and guys are good at it.
So these "alerts" are coming from Microsoft's cloud-powered anti-malware service? It's kind of disturbing that they have enough data on Microsoft servers to conduct such an in-depth after-the-fact investigation of events on an endpoint machine. Are businesses really OK with sharing telemetry on this level?
Am I close, if so: is there evidence that Huawei were using that access maliciously or was it just "to make sure their 'management software' retained it's place in the OS"??
We're talking about computers manufactured by Huawei here? Surely they can run code at a far lower level, is this MS and Huawei fighting over which of them "owns" the users computer?
[Slight aside: The MS page reads a lot like an advert. Nice link through to a page that itself has "start trial or buy" up top above the hero shot. Name drops some big vulns, Wannacry, DoublePulsar. Devalues the piece IMO because it seems the reason for them doing the work is solely to create an advert.]