ID 1337DAY-ID-32733
Type zdt
Reporter LiquidWorm
Modified 2019-05-19T00:00:00
Description
Exploit for windows platform in category dos / poc
Huawei eSpace Meeting Image File Format Handling Buffer Overflow Vulnerability
Vendor: Huawei Technologies Co., Ltd.
Product web page: https://www.huawei.com
Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)
Summary: Create more convenient Enhanced Communications (EC) services for your
enterprise with this suite of products. Huawei’s EC Suite (ECS) solution combines
voice, data, video, and service streams, and provides users with easy and secure
access to their service platform from any device, in any place, at any time. The
eSpace Meeting allows you to join meetings that support voice, data, and video
functions using the PC client, the tablet client, or an IP phone, or in a meeting
room with an MT deployed.
Desc: eSpace Meeting conference whiteboard functionality is vulnerable to a buffer
overflow issue when inserting known image file formats. Attackers can exploit this
issue to execute arbitrary code within the context of the affected application.
Failed exploit attempts will likely result in denial-of-service conditions.
Vuln modules (no DEP/ASLR):
C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll
C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.dll
Tested on: Microsoft Windows 7 Professional
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
23.09.2014
Patched version: V100R001C03
Vuln ID: HWPSIRT-2014-1156
CVE ID: CVE-2014-9417
Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589
--
Reference magic numbers (hex signature):
JPG/JPEG - FF D8 FF
BMP - 42 4D
PNG - 89 50 4E 47 0D 0A 1A 0A
0:024> g
CClassMgrFrameWnd::OnKeyUp lParam = -1072758783Get config of string parameter:box, value:
(2110.2258): Unknown exception - code c0000002 (first chance)
(2110.2258): Unknown exception - code c0000002 (first chance)
(2110.1b08): C++ EH exception - code e06d7363 (first chance)
(2110.1b08): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=036de3f4 ebx=01709870 ecx=00000003 edx=00000000 esi=7c380edc edi=036de484
eip=75ae812f esp=036de3f4 ebp=036de444 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
KERNELBASE!RaiseException+0x54:
75ae812f c9 leave
0:008> d esp
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\MSVCR71.dll -
036de3f4 63 73 6d e0 01 00 00 00-00 00 00 00 2f 81 ae 75 csm........./..u
036de404 03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c .... .....m.0.=|
036de414 00 00 00 00 18 00 00 00-14 33 41 7c 60 e4 6d 03 .........3A|`.m.
036de424 b3 16 34 7c 00 00 9c 01-00 00 00 00 b8 16 34 7c ..4|..........4|
036de434 44 4b 41 7c 98 e4 6d 03-70 98 70 01 98 98 70 01 DKA|..m.p.p...p.
036de444 84 e4 6d 03 ed 9a 35 7c-63 73 6d e0 01 00 00 00 ..m...5|csm.....
036de454 03 00 00 00 78 e4 6d 03-98 98 70 01 54 16 3d 7c ....x.m...p.T.=|
036de464 63 73 6d e0 01 00 00 00-00 00 00 00 00 00 00 00 csm.............
0:008> d
036de474 03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c .... .....m.0.=|
036de484 a8 e4 6d 03 5a 8b 3c 7c-98 e4 6d 03 30 82 3d 7c ..m.Z.<|..m.0.=|
036de494 54 2b fc ab 54 16 3d 7c-58 a9 71 01 01 00 00 00 T+..T.=|X.q.....
036de4a4 70 16 3d 7c 3c e8 6d 03-e0 d9 b0 04 00 00 00 00 p.=|<.m.........
036de4b4 66 13 af 04 54 2b fc ab-80 94 6f 01 3c e8 6d 03 f...T+....o.<.m.
036de4c4 30 ed 6d 03 00 00 00 00-ec e4 6d 03 00 00 00 00 0.m.......m.....
036de4d4 0b 00 00 00 00 00 00 00-41 41 41 41 41 41 41 41 ........AAAAAAAA
036de4e4 41 41 41 41 41 41 41 41-28 00 00 00 41 41 00 00 AAAAAAAA(...AA..
0:008> d
036de4f4 41 41 00 00 41 41 41 41-00 00 00 00 54 2b fc ab AA..AAAA....T+..
036de504 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
036de514 00 00 00 00 24 ed 6d 03-22 a0 af 76 43 f0 ed 63 ....$.m."..vC..c
036de524 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
036de534 30 ed 6d 03 45 76 58 06-42 4d 00 0d 41 41 41 41 0.m.EvX.BM..AAAA
036de544 41 41 41 41 41 41 6d 03-3b 23 af 04 3c e8 6d 03 AAAAAAm.;#..<.m.
036de554 80 94 6f 01 88 ef 6d 03-05 02 00 00 00 00 00 00 ..o...m.........
036de564 73 00 70 00 84 f2 b0 04-00 00 00 00 00 00 00 00 s.p.............
0:008> d
036de574 42 4d 00 0d 41 41 41 41-41 41 41 41 41 41 41 41 BM..AAAAAAAAAAAA
036de584 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
036de594 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
036de5a4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
036de5b4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
036de5c4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
036de5d4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
036de5e4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
--
PNG Decoder error msg:$s
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
(1874.2274): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=015d8998 edx=00000000 esi=015d8ab8 edi=00000000
eip=025f1b99 esp=032ccc88 ebp=032cd0c4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll -
classmgr+0x11b99:
025f1b99 8b9868060000 mov ebx,dword ptr [eax+668h] ds:0023:00000668=????????
--
JPEG datastream contains no image
Improper call to JPEG library in state 200
(1f88.2768): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=a2afcfb5 edx=00000000 esi=0352e318 edi=000000cc
eip=0491b035 esp=0352e2c8 ebp=0352ed30 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
*** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.DLL
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.DLL -
MiniGDIEx!DllUnregisterServer+0x2f95:
0491b035 ff10 call dword ptr [eax] ds:0023:00000000=????????
---
PoC files:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46867.zip
# 0day.today [2019-05-21] #
{"id": "1337DAY-ID-32733", "bulletinFamily": "exploit", "title": "Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow Exploit", "description": "Exploit for windows platform in category dos / poc", "published": "2019-05-19T00:00:00", "modified": "2019-05-19T00:00:00", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://0day.today/exploit/description/32733", "reporter": "LiquidWorm", "references": [], "cvelist": ["CVE-2014-9417"], "type": "zdt", "lastseen": "2019-05-21T01:53:06", "edition": 1, "viewCount": 27, "enchantments": {"score": {"value": 8.0, "vector": "NONE", "modified": "2019-05-21T01:53:06", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-9417"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1BDBDBB9B00355323D0907B04CF28CA4"]}, {"type": "exploitdb", "idList": ["EDB-ID:46867"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20141217-ESPACE"]}], "modified": "2019-05-21T01:53:06", "rev": 2}, "vulnersScore": 8.0}, "sourceHref": "https://0day.today/exploit/32733", "sourceData": "Huawei eSpace Meeting Image File Format Handling Buffer Overflow Vulnerability\r\n\r\n\r\nVendor: Huawei Technologies Co., Ltd.\r\nProduct web page: https://www.huawei.com\r\nAffected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)\r\n\r\nSummary: Create more convenient Enhanced Communications (EC) services for your\r\nenterprise with this suite of products. Huawei\u2019s EC Suite (ECS) solution combines\r\nvoice, data, video, and service streams, and provides users with easy and secure\r\naccess to their service platform from any device, in any place, at any time. The\r\neSpace Meeting allows you to join meetings that support voice, data, and video\r\nfunctions using the PC client, the tablet client, or an IP phone, or in a meeting\r\nroom with an MT deployed.\r\n\r\nDesc: eSpace Meeting conference whiteboard functionality is vulnerable to a buffer\r\noverflow issue when inserting known image file formats. Attackers can exploit this\r\nissue to execute arbitrary code within the context of the affected application.\r\nFailed exploit attempts will likely result in denial-of-service conditions.\r\n\r\nVuln modules (no DEP/ASLR):\r\nC:\\Program Files\\eSpace-ecs\\conf\\cwbin\\classmgr.dll\r\nC:\\Program Files\\eSpace-ecs\\conf\\cwbin\\MiniGDIEx.dll\r\n\r\nTested on: Microsoft Windows 7 Professional\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n\r\n23.09.2014\r\n\r\nPatched version: V100R001C03\r\nVuln ID: HWPSIRT-2014-1156\r\nCVE ID: CVE-2014-9417\r\nAdvisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589\r\n\r\n--\r\n\r\n\r\nReference magic numbers (hex signature):\r\n\r\nJPG/JPEG - FF D8 FF\r\nBMP - 42 4D\r\nPNG - 89 50 4E 47 0D 0A 1A 0A\r\n\r\n0:024> g\r\nCClassMgrFrameWnd::OnKeyUp lParam = -1072758783Get config of string parameter:box, value: \r\n(2110.2258): Unknown exception - code c0000002 (first chance)\r\n(2110.2258): Unknown exception - code c0000002 (first chance)\r\n(2110.1b08): C++ EH exception - code e06d7363 (first chance)\r\n(2110.1b08): C++ EH exception - code e06d7363 (!!! second chance !!!)\r\neax=036de3f4 ebx=01709870 ecx=00000003 edx=00000000 esi=7c380edc edi=036de484\r\neip=75ae812f esp=036de3f4 ebp=036de444 iopl=0 nv up ei pl nz ac po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Windows\\system32\\KERNELBASE.dll - \r\nKERNELBASE!RaiseException+0x54:\r\n75ae812f c9 leave\r\n0:008> d esp\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\MSVCR71.dll - \r\n036de3f4 63 73 6d e0 01 00 00 00-00 00 00 00 2f 81 ae 75 csm........./..u\r\n036de404 03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c .... .....m.0.=|\r\n036de414 00 00 00 00 18 00 00 00-14 33 41 7c 60 e4 6d 03 .........3A|`.m.\r\n036de424 b3 16 34 7c 00 00 9c 01-00 00 00 00 b8 16 34 7c ..4|..........4|\r\n036de434 44 4b 41 7c 98 e4 6d 03-70 98 70 01 98 98 70 01 DKA|..m.p.p...p.\r\n036de444 84 e4 6d 03 ed 9a 35 7c-63 73 6d e0 01 00 00 00 ..m...5|csm.....\r\n036de454 03 00 00 00 78 e4 6d 03-98 98 70 01 54 16 3d 7c ....x.m...p.T.=|\r\n036de464 63 73 6d e0 01 00 00 00-00 00 00 00 00 00 00 00 csm.............\r\n0:008> d\r\n036de474 03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c .... .....m.0.=|\r\n036de484 a8 e4 6d 03 5a 8b 3c 7c-98 e4 6d 03 30 82 3d 7c ..m.Z.<|..m.0.=|\r\n036de494 54 2b fc ab 54 16 3d 7c-58 a9 71 01 01 00 00 00 T+..T.=|X.q.....\r\n036de4a4 70 16 3d 7c 3c e8 6d 03-e0 d9 b0 04 00 00 00 00 p.=|<.m.........\r\n036de4b4 66 13 af 04 54 2b fc ab-80 94 6f 01 3c e8 6d 03 f...T+....o.<.m.\r\n036de4c4 30 ed 6d 03 00 00 00 00-ec e4 6d 03 00 00 00 00 0.m.......m.....\r\n036de4d4 0b 00 00 00 00 00 00 00-41 41 41 41 41 41 41 41 ........AAAAAAAA\r\n036de4e4 41 41 41 41 41 41 41 41-28 00 00 00 41 41 00 00 AAAAAAAA(...AA..\r\n0:008> d\r\n036de4f4 41 41 00 00 41 41 41 41-00 00 00 00 54 2b fc ab AA..AAAA....T+..\r\n036de504 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\r\n036de514 00 00 00 00 24 ed 6d 03-22 a0 af 76 43 f0 ed 63 ....$.m.\"..vC..c\r\n036de524 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\r\n036de534 30 ed 6d 03 45 76 58 06-42 4d 00 0d 41 41 41 41 0.m.EvX.BM..AAAA\r\n036de544 41 41 41 41 41 41 6d 03-3b 23 af 04 3c e8 6d 03 AAAAAAm.;#..<.m.\r\n036de554 80 94 6f 01 88 ef 6d 03-05 02 00 00 00 00 00 00 ..o...m.........\r\n036de564 73 00 70 00 84 f2 b0 04-00 00 00 00 00 00 00 00 s.p.............\r\n0:008> d\r\n036de574 42 4d 00 0d 41 41 41 41-41 41 41 41 41 41 41 41 BM..AAAAAAAAAAAA\r\n036de584 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n036de594 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n036de5a4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n036de5b4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n036de5c4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n036de5d4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n036de5e4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n\r\n--\r\n\r\nPNG Decoder error msg:$s\r\nInvalid parameter passed to C runtime function.\r\nInvalid parameter passed to C runtime function.\r\n(1874.2274): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=00000000 ebx=00000000 ecx=015d8998 edx=00000000 esi=015d8ab8 edi=00000000\r\neip=025f1b99 esp=032ccc88 ebp=032cd0c4 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\r\n*** WARNING: Unable to verify checksum for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\classmgr.dll\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\classmgr.dll - \r\nclassmgr+0x11b99:\r\n025f1b99 8b9868060000 mov ebx,dword ptr [eax+668h] ds:0023:00000668=????????\r\n\r\n--\r\n\r\nJPEG datastream contains no image\r\nImproper call to JPEG library in state 200\r\n(1f88.2768): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=00000000 ebx=00000000 ecx=a2afcfb5 edx=00000000 esi=0352e318 edi=000000cc\r\neip=0491b035 esp=0352e2c8 ebp=0352ed30 iopl=0 nv up ei ng nz ac pe cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297\r\n*** WARNING: Unable to verify checksum for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\MiniGDIEx.DLL\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\MiniGDIEx.DLL - \r\nMiniGDIEx!DllUnregisterServer+0x2f95:\r\n0491b035 ff10 call dword ptr [eax] ds:0023:00000000=????????\r\n\r\n---\r\n\r\nPoC files:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46867.zip\n\n# 0day.today [2019-05-21] #"}
{"cve": [{"lastseen": "2020-12-09T19:58:29", "description": "The Meeting component in Huawei eSpace Desktop before V100R001C03 allows local users to cause a denial of service (program exit) via a crafted image.", "edition": 5, "cvss3": {}, "published": "2014-12-24T18:59:00", "title": "CVE-2014-9417", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9417"], "modified": "2019-05-20T17:29:00", "cpe": ["cpe:/a:huawei:espace_desktop:v100r001c03"], "id": "CVE-2014-9417", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9417", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:huawei:espace_desktop:v100r001c03:*:*:*:*:*:*:*"]}], "exploitpack": [{"lastseen": "2020-04-01T19:04:19", "description": "\nHuawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow", "edition": 1, "published": "2019-05-20T00:00:00", "title": "Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-9417"], "modified": "2019-05-20T00:00:00", "id": "EXPLOITPACK:1BDBDBB9B00355323D0907B04CF28CA4", "href": "", "sourceData": "Huawei eSpace Meeting Image File Format Handling Buffer Overflow Vulnerability\n\n\nVendor: Huawei Technologies Co., Ltd.\nProduct web page: https://www.huawei.com\nAffected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)\n\nSummary: Create more convenient Enhanced Communications (EC) services for your\nenterprise with this suite of products. Huawei\u2019s EC Suite (ECS) solution combines\nvoice, data, video, and service streams, and provides users with easy and secure\naccess to their service platform from any device, in any place, at any time. The\neSpace Meeting allows you to join meetings that support voice, data, and video\nfunctions using the PC client, the tablet client, or an IP phone, or in a meeting\nroom with an MT deployed.\n\nDesc: eSpace Meeting conference whiteboard functionality is vulnerable to a buffer\noverflow issue when inserting known image file formats. Attackers can exploit this\nissue to execute arbitrary code within the context of the affected application.\nFailed exploit attempts will likely result in denial-of-service conditions.\n\nVuln modules (no DEP/ASLR):\nC:\\Program Files\\eSpace-ecs\\conf\\cwbin\\classmgr.dll\nC:\\Program Files\\eSpace-ecs\\conf\\cwbin\\MiniGDIEx.dll\n\nTested on: Microsoft Windows 7 Professional\n\n\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\n\n23.09.2014\n\nPatched version: V100R001C03\nVuln ID: HWPSIRT-2014-1156\nCVE ID: CVE-2014-9417\nAdvisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589\n\n--\n\n\nReference magic numbers (hex signature):\n\nJPG/JPEG - FF D8 FF\nBMP - 42 4D\nPNG - 89 50 4E 47 0D 0A 1A 0A\n\n0:024> g\nCClassMgrFrameWnd::OnKeyUp lParam = -1072758783Get config of string parameter:box, value: \n(2110.2258): Unknown exception - code c0000002 (first chance)\n(2110.2258): Unknown exception - code c0000002 (first chance)\n(2110.1b08): C++ EH exception - code e06d7363 (first chance)\n(2110.1b08): C++ EH exception - code e06d7363 (!!! second chance !!!)\neax=036de3f4 ebx=01709870 ecx=00000003 edx=00000000 esi=7c380edc edi=036de484\neip=75ae812f esp=036de3f4 ebp=036de444 iopl=0 nv up ei pl nz ac po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Windows\\system32\\KERNELBASE.dll - \nKERNELBASE!RaiseException+0x54:\n75ae812f c9 leave\n0:008> d esp\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\MSVCR71.dll - \n036de3f4 63 73 6d e0 01 00 00 00-00 00 00 00 2f 81 ae 75 csm........./..u\n036de404 03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c .... .....m.0.=|\n036de414 00 00 00 00 18 00 00 00-14 33 41 7c 60 e4 6d 03 .........3A|`.m.\n036de424 b3 16 34 7c 00 00 9c 01-00 00 00 00 b8 16 34 7c ..4|..........4|\n036de434 44 4b 41 7c 98 e4 6d 03-70 98 70 01 98 98 70 01 DKA|..m.p.p...p.\n036de444 84 e4 6d 03 ed 9a 35 7c-63 73 6d e0 01 00 00 00 ..m...5|csm.....\n036de454 03 00 00 00 78 e4 6d 03-98 98 70 01 54 16 3d 7c ....x.m...p.T.=|\n036de464 63 73 6d e0 01 00 00 00-00 00 00 00 00 00 00 00 csm.............\n0:008> d\n036de474 03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c .... .....m.0.=|\n036de484 a8 e4 6d 03 5a 8b 3c 7c-98 e4 6d 03 30 82 3d 7c ..m.Z.<|..m.0.=|\n036de494 54 2b fc ab 54 16 3d 7c-58 a9 71 01 01 00 00 00 T+..T.=|X.q.....\n036de4a4 70 16 3d 7c 3c e8 6d 03-e0 d9 b0 04 00 00 00 00 p.=|<.m.........\n036de4b4 66 13 af 04 54 2b fc ab-80 94 6f 01 3c e8 6d 03 f...T+....o.<.m.\n036de4c4 30 ed 6d 03 00 00 00 00-ec e4 6d 03 00 00 00 00 0.m.......m.....\n036de4d4 0b 00 00 00 00 00 00 00-41 41 41 41 41 41 41 41 ........AAAAAAAA\n036de4e4 41 41 41 41 41 41 41 41-28 00 00 00 41 41 00 00 AAAAAAAA(...AA..\n0:008> d\n036de4f4 41 41 00 00 41 41 41 41-00 00 00 00 54 2b fc ab AA..AAAA....T+..\n036de504 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\n036de514 00 00 00 00 24 ed 6d 03-22 a0 af 76 43 f0 ed 63 ....$.m.\"..vC..c\n036de524 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\n036de534 30 ed 6d 03 45 76 58 06-42 4d 00 0d 41 41 41 41 0.m.EvX.BM..AAAA\n036de544 41 41 41 41 41 41 6d 03-3b 23 af 04 3c e8 6d 03 AAAAAAm.;#..<.m.\n036de554 80 94 6f 01 88 ef 6d 03-05 02 00 00 00 00 00 00 ..o...m.........\n036de564 73 00 70 00 84 f2 b0 04-00 00 00 00 00 00 00 00 s.p.............\n0:008> d\n036de574 42 4d 00 0d 41 41 41 41-41 41 41 41 41 41 41 41 BM..AAAAAAAAAAAA\n036de584 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n036de594 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n036de5a4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n036de5b4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n036de5c4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n036de5d4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n036de5e4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n\n--\n\nPNG Decoder error msg:$s\nInvalid parameter passed to C runtime function.\nInvalid parameter passed to C runtime function.\n(1874.2274): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\neax=00000000 ebx=00000000 ecx=015d8998 edx=00000000 esi=015d8ab8 edi=00000000\neip=025f1b99 esp=032ccc88 ebp=032cd0c4 iopl=0 nv up ei pl nz na po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\n*** WARNING: Unable to verify checksum for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\classmgr.dll\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\classmgr.dll - \nclassmgr+0x11b99:\n025f1b99 8b9868060000 mov ebx,dword ptr [eax+668h] ds:0023:00000668=????????\n\n--\n\nJPEG datastream contains no image\nImproper call to JPEG library in state 200\n(1f88.2768): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\neax=00000000 ebx=00000000 ecx=a2afcfb5 edx=00000000 esi=0352e318 edi=000000cc\neip=0491b035 esp=0352e2c8 ebp=0352ed30 iopl=0 nv up ei ng nz ac pe cy\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297\n*** WARNING: Unable to verify checksum for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\MiniGDIEx.DLL\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\MiniGDIEx.DLL - \nMiniGDIEx!DllUnregisterServer+0x2f95:\n0491b035 ff10 call dword ptr [eax] ds:0023:00000000=????????\n\n---\n\nPoC files:\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46867.zip", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "exploitdb": [{"lastseen": "2019-05-20T08:19:52", "description": "", "published": "2019-05-20T00:00:00", "type": "exploitdb", "title": "Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-9417"], "modified": "2019-05-20T00:00:00", "id": "EDB-ID:46867", "href": "https://www.exploit-db.com/exploits/46867", "sourceData": "Huawei eSpace Meeting Image File Format Handling Buffer Overflow Vulnerability\r\n\r\n\r\nVendor: Huawei Technologies Co., Ltd.\r\nProduct web page: https://www.huawei.com\r\nAffected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)\r\n\r\nSummary: Create more convenient Enhanced Communications (EC) services for your\r\nenterprise with this suite of products. Huawei\u2019s EC Suite (ECS) solution combines\r\nvoice, data, video, and service streams, and provides users with easy and secure\r\naccess to their service platform from any device, in any place, at any time. The\r\neSpace Meeting allows you to join meetings that support voice, data, and video\r\nfunctions using the PC client, the tablet client, or an IP phone, or in a meeting\r\nroom with an MT deployed.\r\n\r\nDesc: eSpace Meeting conference whiteboard functionality is vulnerable to a buffer\r\noverflow issue when inserting known image file formats. Attackers can exploit this\r\nissue to execute arbitrary code within the context of the affected application.\r\nFailed exploit attempts will likely result in denial-of-service conditions.\r\n\r\nVuln modules (no DEP/ASLR):\r\nC:\\Program Files\\eSpace-ecs\\conf\\cwbin\\classmgr.dll\r\nC:\\Program Files\\eSpace-ecs\\conf\\cwbin\\MiniGDIEx.dll\r\n\r\nTested on: Microsoft Windows 7 Professional\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n\r\n23.09.2014\r\n\r\nPatched version: V100R001C03\r\nVuln ID: HWPSIRT-2014-1156\r\nCVE ID: CVE-2014-9417\r\nAdvisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589\r\n\r\n--\r\n\r\n\r\nReference magic numbers (hex signature):\r\n\r\nJPG/JPEG - FF D8 FF\r\nBMP - 42 4D\r\nPNG - 89 50 4E 47 0D 0A 1A 0A\r\n\r\n0:024> g\r\nCClassMgrFrameWnd::OnKeyUp lParam = -1072758783Get config of string parameter:box, value: \r\n(2110.2258): Unknown exception - code c0000002 (first chance)\r\n(2110.2258): Unknown exception - code c0000002 (first chance)\r\n(2110.1b08): C++ EH exception - code e06d7363 (first chance)\r\n(2110.1b08): C++ EH exception - code e06d7363 (!!! second chance !!!)\r\neax=036de3f4 ebx=01709870 ecx=00000003 edx=00000000 esi=7c380edc edi=036de484\r\neip=75ae812f esp=036de3f4 ebp=036de444 iopl=0 nv up ei pl nz ac po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Windows\\system32\\KERNELBASE.dll - \r\nKERNELBASE!RaiseException+0x54:\r\n75ae812f c9 leave\r\n0:008> d esp\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\MSVCR71.dll - \r\n036de3f4 63 73 6d e0 01 00 00 00-00 00 00 00 2f 81 ae 75 csm........./..u\r\n036de404 03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c .... .....m.0.=|\r\n036de414 00 00 00 00 18 00 00 00-14 33 41 7c 60 e4 6d 03 .........3A|`.m.\r\n036de424 b3 16 34 7c 00 00 9c 01-00 00 00 00 b8 16 34 7c ..4|..........4|\r\n036de434 44 4b 41 7c 98 e4 6d 03-70 98 70 01 98 98 70 01 DKA|..m.p.p...p.\r\n036de444 84 e4 6d 03 ed 9a 35 7c-63 73 6d e0 01 00 00 00 ..m...5|csm.....\r\n036de454 03 00 00 00 78 e4 6d 03-98 98 70 01 54 16 3d 7c ....x.m...p.T.=|\r\n036de464 63 73 6d e0 01 00 00 00-00 00 00 00 00 00 00 00 csm.............\r\n0:008> d\r\n036de474 03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c .... .....m.0.=|\r\n036de484 a8 e4 6d 03 5a 8b 3c 7c-98 e4 6d 03 30 82 3d 7c ..m.Z.<|..m.0.=|\r\n036de494 54 2b fc ab 54 16 3d 7c-58 a9 71 01 01 00 00 00 T+..T.=|X.q.....\r\n036de4a4 70 16 3d 7c 3c e8 6d 03-e0 d9 b0 04 00 00 00 00 p.=|<.m.........\r\n036de4b4 66 13 af 04 54 2b fc ab-80 94 6f 01 3c e8 6d 03 f...T+....o.<.m.\r\n036de4c4 30 ed 6d 03 00 00 00 00-ec e4 6d 03 00 00 00 00 0.m.......m.....\r\n036de4d4 0b 00 00 00 00 00 00 00-41 41 41 41 41 41 41 41 ........AAAAAAAA\r\n036de4e4 41 41 41 41 41 41 41 41-28 00 00 00 41 41 00 00 AAAAAAAA(...AA..\r\n0:008> d\r\n036de4f4 41 41 00 00 41 41 41 41-00 00 00 00 54 2b fc ab AA..AAAA....T+..\r\n036de504 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\r\n036de514 00 00 00 00 24 ed 6d 03-22 a0 af 76 43 f0 ed 63 ....$.m.\"..vC..c\r\n036de524 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\r\n036de534 30 ed 6d 03 45 76 58 06-42 4d 00 0d 41 41 41 41 0.m.EvX.BM..AAAA\r\n036de544 41 41 41 41 41 41 6d 03-3b 23 af 04 3c e8 6d 03 AAAAAAm.;#..<.m.\r\n036de554 80 94 6f 01 88 ef 6d 03-05 02 00 00 00 00 00 00 ..o...m.........\r\n036de564 73 00 70 00 84 f2 b0 04-00 00 00 00 00 00 00 00 s.p.............\r\n0:008> d\r\n036de574 42 4d 00 0d 41 41 41 41-41 41 41 41 41 41 41 41 BM..AAAAAAAAAAAA\r\n036de584 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n036de594 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n036de5a4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n036de5b4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n036de5c4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n036de5d4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n036de5e4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n\r\n--\r\n\r\nPNG Decoder error msg:$s\r\nInvalid parameter passed to C runtime function.\r\nInvalid parameter passed to C runtime function.\r\n(1874.2274): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=00000000 ebx=00000000 ecx=015d8998 edx=00000000 esi=015d8ab8 edi=00000000\r\neip=025f1b99 esp=032ccc88 ebp=032cd0c4 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\r\n*** WARNING: Unable to verify checksum for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\classmgr.dll\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\classmgr.dll - \r\nclassmgr+0x11b99:\r\n025f1b99 8b9868060000 mov ebx,dword ptr [eax+668h] ds:0023:00000668=????????\r\n\r\n--\r\n\r\nJPEG datastream contains no image\r\nImproper call to JPEG library in state 200\r\n(1f88.2768): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=00000000 ebx=00000000 ecx=a2afcfb5 edx=00000000 esi=0352e318 edi=000000cc\r\neip=0491b035 esp=0352e2c8 ebp=0352ed30 iopl=0 nv up ei ng nz ac pe cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297\r\n*** WARNING: Unable to verify checksum for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\MiniGDIEx.DLL\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\eSpace-ecs\\conf\\cwbin\\MiniGDIEx.DLL - \r\nMiniGDIEx!DllUnregisterServer+0x2f95:\r\n0491b035 ff10 call dword ptr [eax] ds:0023:00000000=????????\r\n\r\n---\r\n\r\nPoC files:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46867.zip", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/46867"}], "huawei": [{"lastseen": "2019-02-01T18:01:09", "bulletinFamily": "software", "cvelist": ["CVE-2014-9415", "CVE-2014-9418", "CVE-2014-9416", "CVE-2014-9417"], "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "edition": 1, "modified": "2015-03-20T00:00:00", "published": "2014-12-17T00:00:00", "id": "HUAWEI-SA-20141217-ESPACE", "href": "https://www.huawei.com/en/psirt/security-advisories/2015/hw-406589", "title": "Security Advisory-Multiple Vulnerabilities in Huawei eSpace Desktop Product", "type": "huawei", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
