EE 4GEE Mini suffers from a unquoted service path local privilege escalation vulnerability.
d71768f1287eb098635fd936af125dfb# Title: EE 4GEE Mini Local Privilege Escalation Vulnerability
# Date: 22-09-2018
# Software Version: EE40_00_02.00_44
# Tested on: Windows 10 64-bit and Windows 7 64-bit
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
# Original Advisory: http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html
# Original Write-up: https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/
# CVE: CVE-2018-14327
Unquoted Service Path Vulnerability
-----------------------------------
C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Weak Folder Permissions
------------------------
C:\Program Files (x86)\Web Connecton>icacls EE40
EE40 Everyone:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService
EE40\BackgroundService Everyone:(OI)(CI)(F)
Everyone:(I)(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
Disclosure Timeline
---------------------
05-07-2018: The ZeroDayLab Consultant (Osanda Malith Jayathissa), reported the issue to EE via twitter
05-07-2018: Reported to Alcatel via email.
12-07-2018: Osanda Malith Jayathissa contacted MITRE.
16-07-2018: CVE assigned CVE-2018-14327.
25-07-2018: EE contacted Osanda Malith Jayathissa via email for more technical details.
26-07-2018: Phone call between Osanda Malith Jayathissa and EE to discuss the vulnerability further.
26-07-2018: EE confirms that patch will go live within one week.
03-08-2018: Osanda Malith Jayathissa contacted EE for an update on the patch and EE stated that they will respond with more information by Friday 10th of August.
10-08-2018: EE said that patch had been delayed and will notify Osanda Malith Jayathissa with an update.
23-08-2018: EE replies with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab Consultant confirmed the patch was working successfully.
03-09-2018: EE notified Osanda Malith Jayathissa saying the patch was released.
References
-----------
https://www.theregister.co.uk/2018/09/19/ee_modem_vuln/
https://thehackernews.com/2018/09/4g-ee-wifi-modem-hack.html