EE 4GEE Mini Local Privilege Escalation Vulnerability (CVE-2018-14327)

I brought a 4G modem from EE to browser internet when Iā€™m outside. Itā€™s a portable 4G WiFi mobile broadband modem as seen below.

You can find this 4G modem from these websites:

One day I had a look at my services installed on my computer for troubleshooting a problem and I saw a strange service named ā€œAlcatel OSPREY3_MINI Modem Device Helperā€. I was wondering how this was installed, and then I figured that itā€™s my modem service from the EE 4G WiFi modem. Then after a bit of Googling, I realized that the modem was manufactured by Alcatel. I had a look at the service installed just for curiosity and found that that there is an unquoted service path vulnerability.

[code language=”text” highlight=”8″]
C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

[/code]

But you canā€™t directly write files because of folder permissions. I first thought this issue is useless to be reported. But just to be sure I had a look at the folder permissions of the ā€œEE40ā€ folder and W00t! It had been set to ā€œEveryone:(OI)(CI)(F)ā€ which means any user can read, write, execute, create, delete do anything inside that folder and itā€™s subfolders. The ACL rules had OI ā€“ Object Inherit and CI ā€“ Container Inherit which means all the files in this folder and subfolders have full permissions.

[code language=”text” highlight=”2,22″]
C:\Program Files (x86)\Web Connecton>icacls EE40
EE40 Everyone:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService
EE40\BackgroundService Everyone:(OI)(CI)(F)
Everyone:(I)(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files
[/code]

Since ā€œServiceManager.exeā€ executable is a Windows service, by planting a malicious program with the same name ā€œServiceManager.exeā€ would result in executing the binary as ā€œNT AUTHORITY\SYSTEMā€ giving highest privileges in a Windows operating system. This vulnerability can be used to escalate privileges in a Windows operating system locally. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as ā€œNT AUTHORITY\SYSTEMā€ by giving the attacker full system access to the remote PC.

The following video demonstrates how this issue can be used to escalate privileges and gain a remote shell running as “NT AUTHORITY\SYSTEM”.

Patching Your Firmware

The vulnerable software version is ā€œEE40_00_02.00_44ā€

After reporting the vulnerability to EE, they have released a patch to update the modem. Follow these steps to update your modem to the latest patch update.

  1. Go to your routerā€™s default gateway: http://192.168.1.1.
  2. Click on the ā€œCheck for Updateā€ text to update your firmware.

After updating, the patched software version is ā€œEE40_00_02.00_45ā€ and remove the previously installed software from your computer.

Fixing the Unquoted Service Path Vulnerability Manually

To fix the unquoted service path vulnerability follow these steps.

  1. Open the Windows Registry Editor by typing ā€œregeditā€ in start menu or in the Run prompt.
  2. Go to the following location:
    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alcatel OSPREY3_MINI Modem Device Helper
  3. Add double quotes to the ā€œImagePathā€ value.
    "C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start"


This can be done in this manner too. You must open a CMD prompt with Administrative privileges and run this command.

For 64-bit Windows
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alcatel OSPREY3_MINI Modem Device Helper" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start\"" /f

For 32-bit Windows
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alcatel OSPREY3_MINI Modem Device Helper" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start\"" /f

Fixing the Weak Folder Permissions Manually

Open a CMD prompt and go to the location of the Alcatel modem service and type the following the command.
cd ā€œC:\Program Files\Web Connecton\ā€
icacls "EE40" /t /grant:r Everyone:(OI)(CI)R

Disclosure Timeline

05-07-2018: The ZeroDayLab Consultant (Osanda Malith Jayathissa), reported the issue to EE via twitter
05-07-2018: Reported to Alcatel via email.
12-07-2018: Osanda Malith Jayathissa contacted MITRE.
16-07-2018: CVE assigned CVE-2018-14327.
25-07-2018: EE contacted Osanda Malith Jayathissa via email for more technical details.
26-07-2018: Phone call between Osanda Malith Jayathissa and EE to discuss the vulnerability further.
26-07-2018: EE confirms that patch will go live within one week.
03-08-2018: Osanda Malith Jayathissa contacted EE for an update on the patch and EE stated that they will respond with more information by Friday 10th of August.
10-08-2018: EE said that patch had been delayed and will notify Osanda Malith Jayathissa with an update.
23-08-2018: EE replies with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab Consultant confirmed the patch was working successfully.
03-09-2018: EE notified Osanda Malith Jayathissa saying the patch was released.

References

The following article was released in my current company’s blog :

News Articles

15 thoughts on “EE 4GEE Mini Local Privilege Escalation Vulnerability (CVE-2018-14327)

  1. Pingback: Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable – Persian Version
  2. Pingback: Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable – Music Lyrics Zone
  3. Pingback: Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable - Ethical Hacking & Cyber Security
  4. Pingback: Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable – AnonymousMedia
  5. Pingback: Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable - breaking news headlines news portal website
  6. Pingback: Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable – NuclearCoffee
  7. Pingback: Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable
  8. Pingback: Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable – YourThailand.Net
  9. Pingback: Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable – Mobile Technology
  10. Pingback: Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable - Totally Secure
  11. Pingback: EE 4GEE Mini Local Privilege Escalation Vulnerability (CVE-2018-14327) |
  12. Pingback: Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable | Deep Security News
  13. Pingback: ?????????????(Tencent Xuanwu Lab Security Daily News) - 2018/09/19
  14. Pingback: Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable – HITTA
  15. Pingback: Una falla en el mĆ³dem WiFi 4GEE podrĆ­a dejar su computadora vulnerable

Leave a Reply