Acknowledged by Facebook

I was able to find a tiny session management vulnerability in the Oculus website and Yay! got acknowledged by Facebook 🙂


Escalating Local Privileges Using Mobile Partner

Mobile Partner is a very popular software that ships with Huawei internet dongles. Recently I noticed the fact that the “Mobile Partner” directory and all subdirectories, files by default has full permissions granted the Users group. This means that any User in your system can plant a malicious executable and escalate privileges when the Administrator runs Mobile Partner. Why not bind the exe using msfpayload or msfvenom? 😉

 Proof of Concept

By default in my dongle I had Mobile Partner 11.302.09.00.03 and if you are using versions below you might find out that this folder and it’s contents has been granted full permissions not only to the Users group but also to Everyone which means any random user can plant anything inside this directory.

C:\Program Files (x86)>cacls "Mobile Partner"
C:\Program Files (x86)\Mobile Partner Everyone:(OI)(CI)F
                                      NT SERVICE\TrustedInstaller:(ID)F
                                      NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F

                                      NT AUTHORITY\SYSTEM:(ID)F
                                      NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                      CREATOR OWNER:(OI)(CI)(IO)(ID)F
                                      APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(ID)(special access:)



C:\Program Files>cd "Mobile Partner"

C:\Program Files (x86)\Mobile Partner>cacls "Mobile Partner.exe"
C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe Everyone:F
                                                         NT AUTHORITY\SYSTEM:(ID)F
                                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R


MySQL name_const Crash

This is a small crash I found in MySQL 5.0.45 in the name_const function. I’ve tested this in a Windows 8 environment. However this function won’t allow performing select queries in latest versions. In older versions greater than or equal to 5.0.12 you can reproduce this issue.
I fuzzed the name_const() function and I noticed that when performing a conditional statement inside a sub query we can make the MySQL application freeze. Once we press ^c twice we get the error message. (more…)