Microsoft finds privilege escalation vulnerability in Huawei driver

Microsoft finds privilege escalation vulnerability in Huawei driver

While monitoring alerts related to kernel-mode attacks, one alert drew our attention:

The alert process tree showed an abnormal memory allocation and execution in the context of services.exe by a kernel code. Attaching a kernel debugger and setting a breakpoint on the memcpy_s in charge of copying the parameters from kernel to user-mode revealed the created process: one of Huawei’s installed services, MateBookService.exe, invoked with “/startup” in its command line. Invoking this handler allowed a code running with low privileges to read-write beyond the process boundaries—to other processes or even to kernel space.

Source: www.microsoft.com