{"id":9885,"date":"2017-10-15T14:19:16","date_gmt":"2017-10-15T22:19:16","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/15\/news-3658\/"},"modified":"2017-10-15T14:19:16","modified_gmt":"2017-10-15T22:19:16","slug":"news-3658","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/10\/15\/news-3658\/","title":{"rendered":"SSD Advisory \u2013 ZTE uSmartView DLL Hijacking"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 15 Oct 2017 06:43:40 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3457\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3457');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability summary<\/strong><br \/> The following advisory describes an DLL Hijacking found in ZTE uSmartView.<\/p>\n<p>ZTE uSmartView offers: &#8220;ZTE provides full series of cloud computing products (including cloud terminals, cloud desktops, virtualization software, and cloud storage products) and end-to-end integrated product, which can be applied to different scenarios such as office, training classroom, multimedia classroom, and business hall.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor Response<\/strong><br \/> ZTE has been notified on the 13th of August 2017, several emails were exchanged, but no ETA for a fix or workaround have been provided for the following vulnerabilities.<\/p>\n<p><span id=\"more-3457\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><br \/> When uSmartView starts on a Windows machine it tries to load a DLL (pcacli.dll) from  the <em>C:Program Files (x86)vdcientry<\/em> directory, if a malicious attacker puts the DLL in that directory uSmartView will load it and run the code found in it \u2013 without giving the user any warning of it.<\/p>\n<p>This happens because uSmartView does not provide file pcacli.dll. Furthermore, writing in <em>C:Program Files (x86)vdcientry<\/em> doesn\u2019t require any special privileges.<\/p>\n<p>Since uSmartView can require admin privileges an attacker can place the pcacli.dll and cause command execution as the current user (usually admin).<\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3457\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 15 Oct 2017 06:43:40 +0000<\/strong><\/p>\n<p>Vulnerability summary The following advisory describes an DLL Hijacking found in ZTE uSmartView. ZTE uSmartView offers: &#8220;ZTE provides full series of cloud computing products (including cloud terminals, cloud desktops, virtualization software, and cloud storage products) and end-to-end integrated product, which can be applied to different scenarios such as office, training classroom, multimedia classroom, and business &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3457\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 ZTE uSmartView DLL Hijacking<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[13327,10757],"class_list":["post-9885","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-dll-hijacking","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9885","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9885"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9885\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9885"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9885"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9885"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}