I brought a 4G modem from EE to browser internet when I’m outside. It’s a portable 4G WiFi mobile broadband modem as seen below.
You can find this 4G modem from these websites:
- https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-wifi-mini-2018/details
- https://www.currys.co.uk/gbuk/phones-broadband-and-sat-nav/broadband/mobile-broadband/4gee-mini-pay-as-you-go-mobile-wifi-10146494-pdt.html
One day I had a look at my services installed on my computer for troubleshooting a problem and I saw a strange service named “Alcatel OSPREY3_MINI Modem Device Helper”. I was wondering how this was installed, and then I figured that it’s my modem service from the EE 4G WiFi modem. Then after a bit of Googling, I realized that the modem was manufactured by Alcatel. I had a look at the service installed just for curiosity and found that that there is an unquoted service path vulnerability.
C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper DEPENDENCIES : SERVICE_START_NAME : LocalSystem
But you can’t directly write files because of folder permissions. I first thought this issue is useless to be reported. But just to be sure I had a look at the folder permissions of the “EE40” folder and W00t! It had been set to “Everyone:(OI)(CI)(F)” which means any user can read, write, execute, create, delete do anything inside that folder and it’s subfolders. The ACL rules had OI – Object Inherit and CI – Container Inherit which means all the files in this folder and subfolders have full permissions.
(more…)