Menu

Improved exploit search engine. Try it out

"Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow"

Author

LiquidWorm

Platform

windows

Release date

2019-05-20

Release Date Title Type Platform Author
2019-06-14 "Aida64 6.00.5100 - 'Log to CSV File' Local SEH Buffer Overflow" local windows "Nipun Jaswal"
2019-06-13 "Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation" local windows PovlTekstTV
2019-06-11 "ProShow 9.0.3797 - Local Privilege Escalation" local windows Yonatan_Correa
2019-06-05 "IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)" remote windows Metasploit
2019-06-07 "Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)" local windows SandboxEscaper
2019-06-03 "Nvidia GeForce Experience Web Helper - Command Injection" local windows "Rhino Security Labs"
2019-06-04 "DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)" local windows "Kevin Randall"
2014-11-24 "Microsoft Windows 8.1/ Server 2012 - 'Win32k.sys' Local Privilege Escalation (MS14-058)" local windows anonymous
2019-05-30 "Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service" dos windows n1xbyte
2019-05-28 "Petraware pTransformer ADC < 2.1.7.22827 - Login Bypass" remote windows "Faudhzan Rahman"
2019-05-23 "Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)" local windows SandboxEscaper
2019-05-29 "Free SMTP Server 2.5 - Denial of Service (PoC)" dos windows "Metin Yunus Kandemir"
2019-05-27 "Pidgin 2.13.0 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-24 "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption" remote windows "Simon Zuckerbraun"
2019-05-24 "Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow" local windows "Uday Mittal"
2019-05-15 "Microsoft Windows - 'Win32k' Local Privilege Escalation" local windows ExpLife0011
2019-05-22 "Microsoft Internet Explorer 11 - Sandbox Escape" local windows SandboxEscaper
2019-05-22 "Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-22 "Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 (17763.379) - Install DLL" local windows SandboxEscaper
2019-05-24 "Fast AVI MPEG Joiner - 'License Name' Denial of Service (PoC)" dos windows Achilles
2019-05-24 "Cyberoam General Authentication Client 2.1.2.7 - 'Server Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-23 "Terminal Services Manager 3.2.1 - Denial of Service" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Share Name' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Add Block' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
Release Date Title Type Platform Author
2019-05-20 "Huawei eSpace 1.1.11.103 - DLL Hijacking" local windows LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - 'ContactsCtrl.dll' / 'eSpaceStatusCtrl.dll' ActiveX Heap Overflow" dos windows LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow" dos windows LiquidWorm
2019-05-20 "Huawei eSpace Meeting 1.1.11.103 - 'cenwpoll.dll' SEH Buffer Overflow (Unicode)" dos windows LiquidWorm
2019-05-15 "Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting" webapps php LiquidWorm
2019-05-16 "SEL AcSELerator Architect 2.2.24 - CPU Exhaustion Denial of Service" dos windows LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - SQL Injection" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - Information Disclosure" webapps php LiquidWorm
2019-04-23 "Ross Video DashBoard 8.5.1 - Insecure Permissions" local windows LiquidWorm
2019-03-14 "Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)" webapps php LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Arbitrary File Disclosure" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Remote Code Execution" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - RTSP Stream Disclosure" webapps hardware LiquidWorm
2019-01-28 "BEWARD Intercom 2.3.1 - Credentials Disclosure" local windows LiquidWorm
2019-01-07 "Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection" webapps windows LiquidWorm
2019-01-07 "Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery" webapps windows LiquidWorm
2018-11-30 "Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass" webapps cgi LiquidWorm
2018-11-21 "Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2018-11-05 "Microsoft Internet Explorer 11 - Null Pointer Dereference" local windows LiquidWorm
2018-10-17 "TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure" webapps hardware LiquidWorm
2018-10-15 "FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution" webapps hardware LiquidWorm
2018-10-15 "FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure" webapps hardware LiquidWorm
2018-10-15 "FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure" webapps hardware LiquidWorm
2018-10-08 "FLIR Thermal Traffic Cameras 1.01-0bb5b27 - Information Disclosure" webapps hardware LiquidWorm
2018-10-06 "FLIR Thermal Traffic Cameras 1.01-0bb5b27 - RTSP Stream Disclosure" webapps hardware LiquidWorm
2018-07-17 "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Remote Root" webapps hardware LiquidWorm
2018-07-17 "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - File Manipulation" webapps hardware LiquidWorm
2018-07-17 "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download" webapps hardware LiquidWorm
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46867/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46867/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46867/41297/huawei-espace-1111103-image-file-format-handling-buffer-overflow/download/", "exploit_id": "46867", "exploit_description": "\"Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow\"", "exploit_date": "2019-05-20", "exploit_author": "LiquidWorm", "exploit_type": "dos", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
Huawei eSpace Meeting Image File Format Handling Buffer Overflow Vulnerability


Vendor: Huawei Technologies Co., Ltd.
Product web page: https://www.huawei.com
Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)

Summary: Create more convenient Enhanced Communications (EC) services for your
enterprise with this suite of products. Huawei’s EC Suite (ECS) solution combines
voice, data, video, and service streams, and provides users with easy and secure
access to their service platform from any device, in any place, at any time. The
eSpace Meeting allows you to join meetings that support voice, data, and video
functions using the PC client, the tablet client, or an IP phone, or in a meeting
room with an MT deployed.

Desc: eSpace Meeting conference whiteboard functionality is vulnerable to a buffer
overflow issue when inserting known image file formats. Attackers can exploit this
issue to execute arbitrary code within the context of the affected application.
Failed exploit attempts will likely result in denial-of-service conditions.

Vuln modules (no DEP/ASLR):
C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll
C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.dll

Tested on: Microsoft Windows 7 Professional


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

23.09.2014

Patched version: V100R001C03
Vuln ID: HWPSIRT-2014-1156
CVE ID: CVE-2014-9417
Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589

--


Reference magic numbers (hex signature):

JPG/JPEG - FF D8 FF
BMP - 42 4D
PNG - 89 50 4E 47 0D 0A 1A 0A

0:024> g
CClassMgrFrameWnd::OnKeyUp lParam = -1072758783Get config of string parameter:box, value: 
(2110.2258): Unknown exception - code c0000002 (first chance)
(2110.2258): Unknown exception - code c0000002 (first chance)
(2110.1b08): C++ EH exception - code e06d7363 (first chance)
(2110.1b08): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=036de3f4 ebx=01709870 ecx=00000003 edx=00000000 esi=7c380edc edi=036de484
eip=75ae812f esp=036de3f4 ebp=036de444 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll - 
KERNELBASE!RaiseException+0x54:
75ae812f c9              leave
0:008> d esp
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\MSVCR71.dll - 
036de3f4  63 73 6d e0 01 00 00 00-00 00 00 00 2f 81 ae 75  csm........./..u
036de404  03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c  .... .....m.0.=|
036de414  00 00 00 00 18 00 00 00-14 33 41 7c 60 e4 6d 03  .........3A|`.m.
036de424  b3 16 34 7c 00 00 9c 01-00 00 00 00 b8 16 34 7c  ..4|..........4|
036de434  44 4b 41 7c 98 e4 6d 03-70 98 70 01 98 98 70 01  DKA|..m.p.p...p.
036de444  84 e4 6d 03 ed 9a 35 7c-63 73 6d e0 01 00 00 00  ..m...5|csm.....
036de454  03 00 00 00 78 e4 6d 03-98 98 70 01 54 16 3d 7c  ....x.m...p.T.=|
036de464  63 73 6d e0 01 00 00 00-00 00 00 00 00 00 00 00  csm.............
0:008> d
036de474  03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c  .... .....m.0.=|
036de484  a8 e4 6d 03 5a 8b 3c 7c-98 e4 6d 03 30 82 3d 7c  ..m.Z.<|..m.0.=|
036de494  54 2b fc ab 54 16 3d 7c-58 a9 71 01 01 00 00 00  T+..T.=|X.q.....
036de4a4  70 16 3d 7c 3c e8 6d 03-e0 d9 b0 04 00 00 00 00  p.=|<.m.........
036de4b4  66 13 af 04 54 2b fc ab-80 94 6f 01 3c e8 6d 03  f...T+....o.<.m.
036de4c4  30 ed 6d 03 00 00 00 00-ec e4 6d 03 00 00 00 00  0.m.......m.....
036de4d4  0b 00 00 00 00 00 00 00-41 41 41 41 41 41 41 41  ........AAAAAAAA
036de4e4  41 41 41 41 41 41 41 41-28 00 00 00 41 41 00 00  AAAAAAAA(...AA..
0:008> d
036de4f4  41 41 00 00 41 41 41 41-00 00 00 00 54 2b fc ab  AA..AAAA....T+..
036de504  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
036de514  00 00 00 00 24 ed 6d 03-22 a0 af 76 43 f0 ed 63  ....$.m."..vC..c
036de524  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
036de534  30 ed 6d 03 45 76 58 06-42 4d 00 0d 41 41 41 41  0.m.EvX.BM..AAAA
036de544  41 41 41 41 41 41 6d 03-3b 23 af 04 3c e8 6d 03  AAAAAAm.;#..<.m.
036de554  80 94 6f 01 88 ef 6d 03-05 02 00 00 00 00 00 00  ..o...m.........
036de564  73 00 70 00 84 f2 b0 04-00 00 00 00 00 00 00 00  s.p.............
0:008> d
036de574  42 4d 00 0d 41 41 41 41-41 41 41 41 41 41 41 41  BM..AAAAAAAAAAAA
036de584  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
036de594  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
036de5a4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
036de5b4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
036de5c4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
036de5d4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
036de5e4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

--

PNG Decoder error msg:$s
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
(1874.2274): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=015d8998 edx=00000000 esi=015d8ab8 edi=00000000
eip=025f1b99 esp=032ccc88 ebp=032cd0c4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
*** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll - 
classmgr+0x11b99:
025f1b99 8b9868060000    mov     ebx,dword ptr [eax+668h] ds:0023:00000668=????????

--

JPEG datastream contains no image
Improper call to JPEG library in state 200
(1f88.2768): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=a2afcfb5 edx=00000000 esi=0352e318 edi=000000cc
eip=0491b035 esp=0352e2c8 ebp=0352ed30 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297
*** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.DLL
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.DLL - 
MiniGDIEx!DllUnregisterServer+0x2f95:
0491b035 ff10            call    dword ptr [eax]      ds:0023:00000000=????????

---

PoC files:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46867.zip