I brought a 4G modem from EE to browser internet when I’m outside. It’s a portable 4G WiFi mobile broadband modem as seen below.
You can find this 4G modem from these websites:
- https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-wifi-mini-2018/details
- https://www.currys.co.uk/gbuk/phones-broadband-and-sat-nav/broadband/mobile-broadband/4gee-mini-pay-as-you-go-mobile-wifi-10146494-pdt.html
One day I had a look at my services installed on my computer for troubleshooting a problem and I saw a strange service named “Alcatel OSPREY3_MINI Modem Device Helper”. I was wondering how this was installed, and then I figured that it’s my modem service from the EE 4G WiFi modem. Then after a bit of Googling, I realized that the modem was manufactured by Alcatel. I had a look at the service installed just for curiosity and found that that there is an unquoted service path vulnerability.
[code language=”text” highlight=”8″]
C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
[/code]
But you can’t directly write files because of folder permissions. I first thought this issue is useless to be reported. But just to be sure I had a look at the folder permissions of the “EE40” folder and W00t! It had been set to “Everyone:(OI)(CI)(F)” which means any user can read, write, execute, create, delete do anything inside that folder and it’s subfolders. The ACL rules had OI – Object Inherit and CI – Container Inherit which means all the files in this folder and subfolders have full permissions.
(more…)