Backdoor is such a loaded word to use for a vulnerability. Especially since Huawei is involved. Shame on the person who came up with the title and the reporter who uses the term in the article.
There is no valid reason, ever, for a driver to do what the Huawei driver did here. That should be obvious given the detection methods that Microsoft implemented in the kernel to find and prevent just this behavior.
The Microsoft blog might stop short of calling it malware, but I think we don't need the faux politeness here. The fact that their malware also contained a privilege escalation (the "vulnerability") is merely icing on the cake.
I mean, it's goofy, hacky, and has obvious security flaws but doesn't look malicious. Calling it a "backdoor" ascribes a certain intentionality to the vulnerability that's not clear is warranted. It's about the code quality I expect from the management shovelware that comes preloaded on laptops from any major brand.
What is not malicious about a driver whose pure function (this thing literally has no other value or purpose) is maintaining an invincible NT_AUTHORITY process of their pre-installed management software? And achieving that by allocating a RWX page in services.exe? What are we even doing W^X for?
Maybe we have different expectations of what a driver is. Take a look for yourself, even the updated PC Manager Software on their website still has the driver with the goofy shellcode in its installer (no idea if it's just not loaded now):
> malicious - adj. - having or showing a desire to cause harm to someone
I'ts goofy, and wouldn't pass a design review that I was a part of, but it isn't "showing a desire to cause harm". It just looks like a rushed design.
> about a driver whose pure function (this thing literally has no other value or purpose)
I see nothing about how this driver doesn't have any other functions.
> is maintaining an invincible NT_AUTHORITY process of their pre-installed management software
Because you want the hardware management process to be resurrected if it fails. They're not gaining anything from an attack perspective by deferring to user mode, the process isn't hidden, and they're already running as a kernel driver so they have full control of the system as it is. In Raymond Chen's parlance, they're already on the other side of the airtight hatch.
> Maybe we have different expectations of what a driver is.
I mean, Minix ascribes it's uptime and reliability to a resurrection server. Is this a much crappier design? Yes. Is it such a bad design that it's malicious? No, that's absurd.
> Maybe we have different expectations of what a driver is.
I expect drivers to defer everything they can to user mode so they don't crash the kernel. That's one of the reasons why APCs exist in the first place.
> Take a look for yourself, even the updated PC Manager Software on their website still has the driver with the goofy shellcode in its installer (no idea if it's just not loaded now):
Oh no, they didn't take that out of their package, but even Microsoft says that they fixed the vulnerability, and quicker than responsible disclosure asks for.
> I see nothing about how this driver doesn't have any other functions.
Obviously, you didn't look at it.
This is the irony of it all. There is nothing simple about writing a device driver to do what literally three lines of code in userland registering a service could have achieved. It is the furthest thing from a rushed design you could possibly do; it is taking the wrong turn 10 times and incurring exponential costs each time. That is why it's called a backdoor or malicious; it demonstrates unique niche knowledge in things that are the furthest imaginable distance from the shitty .NET amalgamation that their actual PC manager software is.
Quote the piece of the article that says that the driver has no other functions.
Particularly given that they describe how there's multiple ioctls.
And I can tell you from experience that relying on the service manager for a full watchdog solution is fraught with peril. It'll catch hard crashes, but not for instance dead locks.
Writing "drivers" that do questionable things for even more questionable reasons seems to be par for the course in the Windows ecosystem. If I understand the whole situation correctly, Fortnite installs WHQL certified kernel driver, whose sole purpose is to cause BSOD when LSASS.EXE maps pages from the Fortnite process...
On the other hand a reliable backdoor that also looks like sloppy code is better, as most of us are familiar with truly awful code it’s a nice layer of plausible deniability.
As the full saying goes.
Never attribute to malice what can be explained by stupidity...but don’t rule out malice.
Perhaps you should because the end result is the same, shit code sinks ships. Somebody could have written it intentionally or somebody could have been a dumbshit. Doesn't matter to me because now my computer is compromised.
The microsoft article mentions that Windows Defender caught multiple machines performing kernel injections near the same time with this driver as the root cause. Meaning it was already being exploited.
This doesn't mean the actual flaw was malicious, but being actively exploited, it seems intent doesn't really matter.
I don't see anything saying this was being actively exploited; the non malicious use case would set off their scanners on all MateBooks running this driver.
> While monitoring alerts related to kernel-mode attacks, one alert drew our attention:
>The alert process tree showed an abnormal memory allocation and execution in the context of services.exe by a kernel code. Investigating further, we found that an identical alert was fired on another machine around the same time.
This shows code injection taking place, via the exploited code. You are right that they don't mention what code was injected (probably they don't know)
Inspecting MateBookService.exe!main revealed a “startup mode” that revived the service if it’s stopped – some sort of watchdog mechanism meant to keep the Huawei PC Manager main service running.
I agree that it’s hard to prove malice, but why should any PC management software go out of their way to ensure that it never gets shut down?
>...because it’s the hardware management service and if it goes down you’re no longer managing the hardware?
I’m no expert on device drivers but to my knowledge, Windows already allows you to manage devices and install drivers through Device Managers.
Then if drivers are already installed for the various devices and hardware components, what exactly is the hardware management service managing on top of the individual drivers?
I am asking this as the only plausible reason to be doing this (at least for me) is if Windows isn’t providing enough tools for device management that needs coordination between the hardware components on the machine, so I would appreciate someone with more knowledge to shed some light on the subject.
Device Manager only handles kernel drivers. Best practice is to put as much as possible into a highly privileged, but still user mode process so it can crash without bluescreening your system. If you assume that this code can crash (hence why it was delegated to user mode in the first place) it makes sense to code in a resurrection capability.
Did I say that? The point is that it just because it looks like an "honest mistake" doesn't mean it is. If you were to create a backdoor, that's exactly how you'd want to do it.
Given the circumstances, one might wish to err on the side of caution.
Did your drivers also give usermode code the ability to map arbitrary memory addresses of the usermode code's choosing, thus granting full rw access to all memory pages in the system?
Either Huawei's driver developers are both incompetent and stupid or they're injecting malicious backdoors.
> Having been able to freely invoke IOCTL handlers of the driver from user-mode, we looked for other capabilities that can be abused. We found one: the driver provided a capability to map any physical page into user-mode with RW permissions. Invoking this handler allowed a code running with low privileges to read-write beyond the process boundaries—to other processes or even to kernel space. This, of course, means a full machine compromise.
Really? Because MS and others have stated what Huawei did here isn't unheard of.
This is simply news because it's Huawei and many want them to be guilty of backdooring US entities. Perhaps they are, but no more many other "respected" US companies.
Honest question: is it plausible that someone who is knowledgeable enough to understand and implement this exploit is also oblivious to ita exploitability?
Since you make a very strong claim on a very complex topic, would you mind if I asked you to share whether you have expertise / credentials on drivers and security?
Edit: I'm not sure if it's considered appropriate to ask for credentials on HN. There's one way to find out :)
A driver allowing to map any page is like recording a magician from all angles.
The only reasonable usage of such a situation is for the magician him/herself, to study his/her own performance. And even then, it is not usually done that way.
What is so complex about it? This is a very simple code injection technique ported to kernel space. Only, of course, there is essentially no use for code injection in any sort of production software.
Agreed, it looks like the driver is just trying to keep MateBookServices.exe alive in a dumb way.
My guess is someone had a hard time deciphering MSDN rather than some malicious motivation. I've had to wade through the CreateProcess and svchost docs before, the options and security restrictions are labyrinthine. I'm not sure how some Chinese engineer reading a translation could much better.
I'm all for assuming incompetence over maliciousness, but that requires a certain amount of goodwill and trust toward the perpetrator, which is something Huawei doesn't have.
Without stating a judgment one way or the other on the organization...
Epoch times is run by Falun Gong.
The Chinese official government line is that Falun Gong is an extremely dangerous cult that should be repressed. I've seen people on the English language internet intentionally comparing it to Jim Jones, David Koresh, etc.
In reality it seems to be more like a Chinese version of Scientology.
From what I've heard, Falun Gong is about making money too. It's basically "hey we'll help you and be real nice to you and help you get back on your feet. Now it's your turn to pay up with donations". Which seems better than scientology, I'd say it's most comparable to mormonism
As far as I know, among them, Falun Gong and The Church of Almighty God was making false promise about their ability of "getting people back on their feet".
I don't know why people here are suddenly on fire when saw me put Falun Gong and cult together. In China, we use word "神棍"[0] to describe someone who fake their supernatural ability and pretend to be the messenger of god. And the word was come out before CCP even a thing, that alone can tell you something does it?
Honestly, though, Falun Gong is barely even religious. Rather, it is Qi Gong practice with some "spirituality" bullshit. It's better compared to suburban yoga studios that sell smelly candles and "mindfulness" than Scientology, and it was actually pretty popular among PRC urbanites before the crackdown.
The Microsoft blog might stop short of calling it malware, but I think we don't need the faux politeness here. The fact that their malware also contained a privilege escalation (the "vulnerability") is merely icing on the cake.