I brought a 4G modem from EE to browser internet when Iām outside. Itās a portable 4G WiFi mobile broadband modem as seen below.
You can find this 4G modem from these websites:
- https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-wifi-mini-2018/details
- https://www.currys.co.uk/gbuk/phones-broadband-and-sat-nav/broadband/mobile-broadband/4gee-mini-pay-as-you-go-mobile-wifi-10146494-pdt.html
One day I had a look at my services installed on my computer for troubleshooting a problem and I saw a strange service named āAlcatel OSPREY3_MINI Modem Device Helperā. I was wondering how this was installed, and then I figured that itās my modem service from the EE 4G WiFi modem. Then after a bit of Googling, I realized that the modem was manufactured by Alcatel. I had a look at the service installed just for curiosity and found that that there is an unquoted service path vulnerability.
[code language=”text” highlight=”8″]
C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
[/code]
But you canāt directly write files because of folder permissions. I first thought this issue is useless to be reported. But just to be sure I had a look at the folder permissions of the āEE40ā folder and W00t! It had been set to āEveryone:(OI)(CI)(F)ā which means any user can read, write, execute, create, delete do anything inside that folder and itās subfolders. The ACL rules had OI ā Object Inherit and CI ā Container Inherit which means all the files in this folder and subfolders have full permissions.
[code language=”text” highlight=”2,22″]
C:\Program Files (x86)\Web Connecton>icacls EE40
EE40 Everyone:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService
EE40\BackgroundService Everyone:(OI)(CI)(F)
Everyone:(I)(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
[/code]
Since āServiceManager.exeā executable is a Windows service, by planting a malicious program with the same name āServiceManager.exeā would result in executing the binary as āNT AUTHORITY\SYSTEMā giving highest privileges in a Windows operating system. This vulnerability can be used to escalate privileges in a Windows operating system locally. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as āNT AUTHORITY\SYSTEMā by giving the attacker full system access to the remote PC.
The following video demonstrates how this issue can be used to escalate privileges and gain a remote shell running as “NT AUTHORITY\SYSTEM”.
Patching Your Firmware
The vulnerable software version is āEE40_00_02.00_44ā
After reporting the vulnerability to EE, they have released a patch to update the modem. Follow these steps to update your modem to the latest patch update.
- Go to your routerās default gateway: http://192.168.1.1.
- Click on the āCheck for Updateā text to update your firmware.
After updating, the patched software version is āEE40_00_02.00_45ā and remove the previously installed software from your computer.
Fixing the Unquoted Service Path Vulnerability Manually
To fix the unquoted service path vulnerability follow these steps.
- Open the Windows Registry Editor by typing āregeditā in start menu or in the Run prompt.
- Go to the following location:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alcatel OSPREY3_MINI Modem Device Helper
- Add double quotes to the āImagePathā value.
"C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start"
This can be done in this manner too. You must open a CMD prompt with Administrative privileges and run this command.
For 64-bit Windows
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alcatel OSPREY3_MINI Modem Device Helper" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start\"" /f
For 32-bit Windows
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alcatel OSPREY3_MINI Modem Device Helper" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start\"" /f
Fixing the Weak Folder Permissions Manually
Open a CMD prompt and go to the location of the Alcatel modem service and type the following the command.
cd āC:\Program Files\Web Connecton\ā
icacls "EE40" /t /grant:r Everyone:(OI)(CI)R
Disclosure Timeline
05-07-2018: The ZeroDayLab Consultant (Osanda Malith Jayathissa), reported the issue to EE via twitter
05-07-2018: Reported to Alcatel via email.
12-07-2018: Osanda Malith Jayathissa contacted MITRE.
16-07-2018: CVE assigned CVE-2018-14327.
25-07-2018: EE contacted Osanda Malith Jayathissa via email for more technical details.
26-07-2018: Phone call between Osanda Malith Jayathissa and EE to discuss the vulnerability further.
26-07-2018: EE confirms that patch will go live within one week.
03-08-2018: Osanda Malith Jayathissa contacted EE for an update on the patch and EE stated that they will respond with more information by Friday 10th of August.
10-08-2018: EE said that patch had been delayed and will notify Osanda Malith Jayathissa with an update.
23-08-2018: EE replies with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab Consultant confirmed the patch was working successfully.
03-09-2018: EE notified Osanda Malith Jayathissa saying the patch was released.
References
The following article was released in my current company’s blog :
News Articles
15 thoughts on “EE 4GEE Mini Local Privilege Escalation Vulnerability (CVE-2018-14327)”