BugTraq
BFS-SA-2016-003: Huawei HiSuite Insecure Service Directory ACLs Jun 29 2016 10:24PM
Blue Frost Security Research Lab (research bluefrostsecurity de)
________________________________________________________________________

Vendor: Huawei, www.huawei.com
Affected Product: HiSuite for Windows
Affected Version: <= 4.0.3.301
CVE ID: CVE-2016-5821
OVE ID: OVE-20160624-0001
Severity: High
Author: Benjamin Gnahm (@mitp0sh), Blue Frost Security GmbH
Title: Huawei HiSuite Insecure Service Directory ACLs
________________________________________________________________________

A privilege escalation vulnerability was identified in the Huawei
HiSuite software which can be used by a local user to elevate
privileges to become the SYSTEM user.

The root cause of the problem are insecure ACLs on the HandSet service
directory which allows any authenticated user to place a crafted DLL
file in that directory to perform a DLL hijacking attack.

Huawei has released software updates to address the issue. The full
advisory with technical details is available at the following link:

https://labs.bluefrostsecurity.de/advisories/bfs-sa-2016-003/
________________________________________________________________________

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus