Monday, 17 September 2018

ZeroDayLab Discovers EE Local Privilege Escalation Vulnerability CVE-2018-14327

EE forms part of BT Group, the largest digital communications company in UK, and boasts of serving more than 31 million connections across its mobile, fixed and wholesale networks. But it was a flaw in EE’s 4G Mini WiFi modem that caught the eye of ZeroDayLab Security Consultants, and that when installed weakened the customers defenses. As a result of the vulnerability cyber criminals would be able to bypass access permissions and gain full administrative/system rights by escalating privileges, once they have gained access to the EE customer’s Laptop or PC. This means the cyber criminal is able to perform any number of malicious actions, such as planting Malware, Rootkits, Log key strokes or stealing personal information.

In this article we take you through the vulnerability found by ZeroDayLab and the action EE customers need to take to apply the patch to fix this vulnerability.

EE customers have been going about their business up and down the country, connecting to the web while on the move oblivious to the potential danger that their latest gadget has been exposing them to. ZeroDayLab’s Chief Technical Officer Paul Brereton said “by installing the EE modem, users have been unwittingly significantly weakening the security of their operating environment (Windows), allowing a local attacker, malicious application or targeted malware to gain full unrestricted administrative access to the operating environment and bypassing the protections in place.”

The vulnerability discovered by ZeroDayLab is exploitable with relatively little effort from a potential cyber criminal – the level of sophistication and effort required to execute this attack is minimal, making this a significant vulnerability.

ZeroDayLab took the decision not to disclose this vulnerability without first working with EE to find a suitable patch. This vulnerability was discovered by one of ZeroDayLab’s Security Consultants, Osanda Malith Jayathissa (@OsandaMalith). Here Osanda talks you through the details of the vulnerability and the resulting patch from EE below.

The Vulnerability
The EE 4G WiFi Modem installs a service called Alcatel OSPREY3_MINI Modem Device Helper (The modem is manufactured by Alcatel). It’s here that we found the unquoted service path vulnerability.

C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Alcatel OSPREY3_MINI Modem Device Helper
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


You can’t directly write files because of folder permissions, which at first sight would suggest this issue isn’t worthy of being reported. If however you look at the folder permissions of the “EE40” folder and low and behold, these had been set to “Everyone:(OI)(CI)(F)”. The result being that any user can read, write, execute, create, delete or do any number or malicious actions inside that folder and its subfolders. The ACL rules had OI – Object Inherit and CI – Container Inherit which means all the files in this folder and subfolders have full permissions.

C:\Program Files (x86)\Web Connecton>icacls EE40
EE40 Everyone:(OI)(CI)(F)
     NT SERVICE\TrustedInstaller:(I)(F)
     NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
     NT AUTHORITY\SYSTEM:(I)(F)
     NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
     BUILTIN\Administrators:(I)(F)
     BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
     BUILTIN\Users:(I)(RX)
     BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
     CREATOR OWNER:(I)(OI)(CI)(IO)(F)
     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService
EE40\BackgroundService Everyone:(OI)(CI)(F)
                       Everyone:(I)(OI)(CI)(F)
                       NT SERVICE\TrustedInstaller:(I)(F)
                       NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                       NT AUTHORITY\SYSTEM:(I)(F)
                       NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                       BUILTIN\Administrators:(I)(F)
                       BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                       BUILTIN\Users:(I)(RX)
                       BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                       CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                       APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                       APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                       APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                       APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

Since “ServiceManager.exe” executable is a Windows service, by planting a malicious program with the same name “ServiceManager.exe” would result in executing the binary as “NT AUTHORITY\SYSTEM” giving highest privileges in a Windows operating system. This vulnerability can be used to escalate privileges in a Windows operating system locally. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as “NT AUTHORITY\SYSTEM” by giving the attacker full system access to the remote PC.

And now for the fix.

Updating to the Patched Version

The vulnerable software version is “EE40_00_02.00_44”



After reporting the vulnerability to EE, they have released a patch to update the modem. Follow these steps to update your modem to the latest patch update.

1.       Go to your router’s default gateway: http://192.168.1.1.       
2.    Click on the “Check for Update” text to update your firmware.

After updating, the patched software version is “EE40_00_02.00_45” and remove the previously installed software from your computer.






Disclosure Timeline

05-07-2018: The ZeroDayLab Consultant (Osanda Malith Jayathissa), reported the issue to EE via twitter
05-07-2018: Reported to Alcatel via email.
12-07-2018: Osanda Malith Jayathissa contacted MITRE.
16-07-2018: CVE assigned CVE-2018-14327.
25-07-2018: EE contacted Osanda Malith Jayathissa via email for more technical details.
26-07-2018: Phone call between Osanda Malith Jayathissa and EE to discuss the vulnerability further.
26-07-2018: EE confirms that patch will go live within one week.
03-08-2018: Osanda Malith Jayathissa contacted EE for an update on the patch and EE stated that they will respond with more information by Friday 10th of August.
10-08-2018: EE said that patch had been delayed and will notify Osanda Malith Jayathissa with an update.
23-08-2018: EE replies with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab Consultant confirmed the patch was working successfully.
03-09-2018: EE notified Osanda Malith Jayathissa saying the patch was released.



About ZeroDayLab

ZeroDayLab is a CREST accredited IT Security consultancy whose sole purpose is to help reduce the risk of cyber-attack and data breaches in your business. In doing so, we help to protect your business from loss of revenue, reputational damage, regulatory fines and disruption to operations.

Our success has meant we now work with some of the biggest and most influential global organisations, across almost every industry, including Financial Services, E-business, Retail, Telco, Travel & Leisure, Pharmaceuticals, Defense and Transport.

Many of our clients say that they choose us because of our unique approach to Total Security Management, that enables us to cater for all your Ethical Hacking, Governance, Risk, and Compliance, Education & Training, and Managed Service needs. We do this in a way that is appropriate, proportionate and right for the level of risk in your business. On time, every-time, and always in budget.

We deliver these services together with a dedicated team, made up of the very best industry talent, who consistently deliver the highest level of service to our clients. Our approach will provide you with detailed reporting and the actionable insights you need to prioritise and reduce risk at the fastest possible rate.

Wednesday, 25 July 2018

Cybersecurity: Invest Early to Protect Your Organization Long Term





Organisations should embrace cyber security compliance to ensure they can effectively navigate the threat landscape.



Recently, I met up with an old friend who’s a project manager for a small company in a highly regulated space. She told me of the trouble she's having getting her team to take compliance reporting requirements seriously. Because the company hasn't appointed a dedicated compliance manager, compliance responsibilities have been dropped in her lap. They have introduced a technology that is garnering a lot of attention in their field, so much so that they've been featured in trade magazines as an industry-disrupter. The team features some truly brilliant minds for whom this company represents the fruition of their life's work. What she's struggling with is getting her colleagues to see that the absence of a coherent body of controls, supported by verification and enforcement mechanisms, can lead to an abrupt and ignominious end for their company while also damaging their individual professional reputations.

Her problem is quite common. Organisations of all sizes are constantly looking for ways to be lean, so securing a Governance, Risk and Compliance (GRC) Lead is far down the list of budgetary priorities for many. In fact compliance programs are often regarded as a distraction, or even worse, a roadblock to innovation. Where such a dim view is held of the GRC role, compliance responsibilities are assigned in an ad-hoc manner with the directive from on high being to merely get the team ‘over the line.’  Of course, to an untrained eye, that line is hard to see. Then there's the matter of having the appropriate skill set and professional acumen to develop a strategy for getting across that line.

Rather than focusing merely on getting across an imaginary line, the organisations that are positioning themselves best for success over the long term are those that go above and beyond baseline security requirements. These organisations embrace a firm security posture because they want to establish in the minds of their clients and partners that they can be trusted with their most vital data. Once their information security practices achieve a high level of maturity, they don’t rest on their laurels. Instead they apply the principle of continuous improvement so that their defensive strategy evolves to adjust to the constantly changing threat landscape. By taking such a firm stance on cyber security, these organisations are not only protecting their critical data, they are protecting the organisation’s brand itself. This forward thinking approach to cyber security also enables these organisations to meet newer, and more stringent, regulatory requirements with only a few adjustments to their standard operations.

In young, disruptive firms like my friend's company, a GRC Lead's role is akin to that of an artist's manager, where the artist is freed to focus on the art while the manager addresses business matters. At her company, the GRC Lead must be capable of understanding the company's business model, identifying the various risks that the company faces, and building a control framework that aligns with business objectives while addressing those risks.

In taking this approach to building the company’s control framework, the GRC Lead increases the likelihood that the controls are appropriate to the business. From there the GRC Lead must craft assurance activities, such as evidence gathering and reporting, that can be generated in as efficient a manner as possible. Coherent compliance processes are more likely to be adopted by the people tasked with them, because they’re sensible as opposed to appearing to be onerous and arbitrary bureaucratic exercises. Successful GRC Leads create coherent compliance processes first by understanding control objectives, clearly explaining these objectives to the team, leveraging existing technologies to automate control activities (easing the burden on the staff) and then streamlining the reporting cycle. The streamlined reporting cycle affords decision makers the most up-to-date view into the organisation's cyber security risk exposure. With these reports, the GRC Lead must present to the decision makers concise, clear options for addressing these risks which explain their business impact as well as any actions needed to reduce the risk. Level of effort required to addressing a risk must be included in this explanation, so business leadership can make sound investment decisions that are in-line with their risk appetite. Beyond addressing current risks, the GRC Lead must keep an eye on the road ahead to see what threats may be looming on the horizon. Does this sound like a part time job?

It's not. Increasingly companies are coming to this realisation. The evidence is all around us. Reputations are being gutted by massive data breaches and poorly managed responses to them. Then there’s the introduction of regulations with real teeth, such as GDPR, which can take a huge bite out of a company's revenue. Leading organisations are responding by taking a pro-active approach to cyber security. They’re strengthening their security posture not because they see it as a necessary evil, but because they recognize it as a competitive advantage that will enable them to more effectively fight off the threats that could take down their weaker rivals. Plus, in the long run, it’s far less expensive to make minor adjustments to your operational practices in adhering to a new regulation than to turn your organisation upside down with each roll out of a new regulatory regime. For mature organisations, complying with new regulations may be as simple as conducting a control mapping exercise, for immature organisations compliance can require a major investment in resources as well as an enterprise wide cultural shift. Furthermore, when driven by regulations, rather than by a long-term strategy harmonious with business objectives, investments in cyber security can be wasteful and not truly fit for purpose. So, the key is to envision the strong, resilient posture you want for your organisation and work towards that. With that in mind I'll be delivering a series of webinars on practical steps in building up your organisation’s cyber security program.

However, please feel free to contact me in the meantime so we can discuss firming things up at your organisation.


Tuesday, 17 July 2018

Manual Pen Testing vs. Automated Scanning





One of the more common questions we at ZeroDayLab are asked is what we see as the benefits of a manual penetration testing approach versus automated solutions and vulnerability scanning, and how to best leverage the two to drive meaningful improvement to an organisations security posture. The terms are often used interchangeably and while both are essential parts of a mature information security program, the two are completely different in terms of expected results and benefits.

Vulnerability scanning refers to the use of automated scanners such as Nessus, Nexpose, and a plethora of other tools to scan systems in an attempt to identify known vulnerabilities which may be present on those systems. Additionally, many scanners exist which are tailored specifically for application security and attempt to identify common appsec related vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), XML External Entity Injection (XXE), and many other vulnerabilities, but are ultimately unable to exploit these same vulnerabilities to provide a real world understanding of what is at stake.

Although vulnerability scanning solutions have come along way in the last few years, they are still overly prone to false positives and can often be misleading, confusing, and time consuming for employees who are unsure how to validate the findings and who may struggle to understand the true risk and business impact associated with identified vulnerabilities on an organisation in order to effectively prioritise remediation steps.

Vulnerability scanning when used as part of a continual process within an information security program can make great strides towards elimination of low hanging fruit and vulnerabilities which are easy to discover and exploit, and can even help a company meet compliance requirements. Many companies run mature vulnerability assessments internally where scans are performed on a monthly, bi-monthly, or quarterly basis, or as part of infrastructure upgrades or migrations, and prior to major releases on a development life cycle. This is a crucial element of any mature security program and is a fast and efficient way to establish and maintain a baseline of security controls.

That being said, automated vulnerability scanning solutions lack the ability to report on discovered vulnerabilities in a meaningful way as the severity of vulnerabilities are often not representative of the true severity, and crucial information such as vulnerability details, reproduction steps, and remediation steps are often extremely difficult to understand or translate in such a way as to provide meaningful assistance in the development of a meaningful plan of action.

Manual penetration testing on the other hand employs a more hands-on approach which more closely emulates real world attack scenarios and is intended to identify logic flaws and vulnerabilities which pose a more significant threat to a company by highlighting the true business impact of discovered vulnerabilities to a company’s business model. Unlike vulnerability assessments which are typically one dimensional, penetration testing typically consists of 5 core phases:

·         Reconnaissance and Information Gathering
·         Discovery and Enumeration
·         Exploitation
·         Post Exploitation
·         Analysis and Reporting

One of the major benefits of manual penetration testing is that it allows for a more in-depth review of network infrastructure and applications and allows a company to more easily understand not only risk, but how to more effectively prioritise and remediate discovered vulnerabilities. Another significant advantage of penetration testing is that during an assessment a penetration tester can often use bits of information that automated scanners are unable to process and understand such as error messages and anomalous behaviour and identify ways in which normally lower risk vulnerabilities can be used in conjunction to create a significantly more dangerous attack chain.

Potentially the most significant benefit of a manual penetration test though, lies in what happens after a vulnerability is discovered. Post exploitation is in many cases where the real value of a penetration test exists and is where a penetration tester can assess what the true risk associated with a compromise is. Can an attacker escalate privileges? Can an attacker use a compromised web application or system to pivot further into the network? Can an attacker leverage a vulnerability or misconfiguration to ex-filtrate sensitive data? Can an attacker deface a website or otherwise cause a denial of service that would prevent end users from utilising the service and cause significant financial loss to a company?

Finally, penetration testing reports are much more granular and specific as compared to the output generated by automated tools and are crucial to driving effective remediation of discovered vulnerabilities and helping management as well as technical staff understand what is at risk, and what steps can be taken to lessen or eliminate that risk entirely.

Penetration testing and vulnerability assessments should work together and in stages to provide the best benefit to a company and help them move up the information security maturity curve. Companies should perform vulnerability assessments early and often to not only establish a baseline of the company’s overall security posture, but to build a road-map of how to strengthen that security posture over time, and is the first step in the development of a mature security program. Penetration testing is most efficient and valuable when an organisation’s security posture is relatively strong and similarly should be performed regularly to cover the gaps missed by vulnerability assessments. They help to identify key areas of concern and steps necessary to further elevate an organisation’s overall security posture and to continually progress up the security maturity curve.

Thursday, 5 July 2018

The Ins and Outs of OSINT





The industry consensus is that manual penetration testing is the best way to test your networks and web applications, finding vulnerabilities you didn’t know you had, and helping you protect your most valuable assets. This is justified, of course, but if you are looking for something that is just as important, then look no further than your Physical Security. It doesn’t always spring to mind, however information about your physical security (in the wrong hands) can be just as much of a chink in your armour as a failure in your coding can.  How easy is it to get into your building? Is there adequate security around your servers? Are your employees too trusting of strangers in their workplace? The hackers weapon of choice to exploit these vulnerabilities, is Open Source intelligence (OSINT). Here we discuss some of the techniques hackers will use and how you can being to protect against them.      

If you are not already familiar with the concept of Open Source Intelligence, or OSINT, it refers to any information about a target that can be gathered from public sources, and has been a staple of government operations, hacking - both ethical and unethical - as well as criminal investigations for many years. But OSINT can be incredibly valuable to a Physical Security Tester as well. In this blog we will demonstrate how it is possible to enumerate everything from the type of elevator and alarm system present in a building and who installed and serviced it, to pictures of employee badges and photographs of the target building from multiple angles. In addition, you can find sources and detailed information about people who work in that building, all from the comfort of your home office. This blog will highlight some of the ways we leverage Open Source Intelligence for physical security testing at a very high level. It is important to note however that none of the techniques in this article are intended to replace proper onsite reconnaissance. 

Geotagged social media posts:
In many ways platforms such as Twitter, Facebook, YouTube, Flickr, and Picasa are the OSINT goose that lays golden eggs, both in the amount of valuable intelligence they produce and the ease in which their APIs make this information available. Often without the user being made aware, these platforms allow anyone with API access to query for content created in the vicinity of a specific area based on embedded geographic metadata, and this is also true for all the smaller social media platforms that rely on them as a backend. Until quite recently Instagram allowed such queries but they have sadly made changes to their API to prevent this.  Tools such as the Recon-ng framework automate querying the APIs of Twitter, YouTube, Flickr, Picasa and Shodan (we will come back to Shodan later) as simply as feeding it API keys, GPS coordinates and a radius and it will happily gather all the Geotagged posts in the specified radius and overlay them over Google Maps for you. Unfortunately recon-ng currently is unable to query the Facebook Live API, however this information can still be gleaned as well as many other platforms  from the following URL (https://inteltechniques.com/osint/menu.maps.html). Geotagged social media posts are incredibly valuable not only because they reveal people who frequent a target area, but more importantly it gives us photos and videos of the target facility’s area from different perspectives, and can cut down the amount of time we need to spend onsite doing recon.

Sensitive information leaked via social media:
A rather strange trend that seems to be focused around new hires and exiting employees is to post pictures of their employee badge on social media. This not only simplifies the process of forging an employee badge but often, the badge ID number can be seen written on the badge which often is all that needs to be written to a RFID credential to be granted access by a reader. This kind of exposure is trivial to exploit with Google and Twitter’s own search engine. However the Twitter account @NeedAnIDBadge (https://twitter.com/needanidbadge) does a great job of archiving many of these posts. Besides pictures of employee IDs, it is often easy to identify corporate language, terms and organisational unit names from social networks like LinkedIn that can be extremely useful when assuming the pretext of an employee. Posts made by corporate social media accounts can also be used to gauge corporate culture and dress code, as well as events that can offer new pretexts as well. For example, if a major R&D lab announces that it is hosting a press conference that coincides with the engagement on Twitter, masquerading as a blogger or freelance journalist is a simple and effective pretext to gain access to the facility.

Open Government Records:
In many countries, but the United States especially, most if not all building permits and inspection records are a matter of public record. Cities like New York City and sometimes at a state level have Building Information System (BIS) portals where anyone can query what fire/burglar alarms were permitted in that building and who installed them. There should also be inspection records for elevators which often reveal the make, model and installer of a building’s elevator, something that can speed up the elevator attack process. A tester can also query similar portals to identify whether the target has a permit for armed or unarmed security guards. it is however important to note that if security guards are contracted to an agency as opposed to being proprietary they might not show up. It is also worth noting that not every company feels the need to hire licensed security guards or to go through official channels to contract them. Checking FCC filings can also reveal what radio frequencies security staff are utilising for their radios.

Satellite and other imagery sources:
Probably one of the most useful and least known assets in doing remote recon on a building is Mapillary. Mapillary is like Google Street View but instead of gathering photos with a car, Mapillary utilises crowd-sourced photographers with mobile phones and GoPros, which results in street-level photos of areas a car, and therefore Google Street View wouldn’t be able to access. I often find that if Google Street View can’t give me a good shot of a building, Mapillary can do the job. But besides Street View and Mapillary, Google Earth is a powerful tool not just for OSINT, but managing data gathered onsite as well. Not only can it ingest output from GPS-enabled tools or anything that outputs a KML. Sadly, I have not yet found an easy way to get Google Earth to ingest Recon-ng’s output yet, but it can parse geotagged photos as well, meaning that if you import photos taken with a GPS-enabled camera, it will become a pushpin on Google Earth. What also adds to the versatility of Google Earth is the wide array of overlays that can be imported into it; everything from weather satellite imagery to Bing maps.

This brings us to Open Streetcam and Shodan. While there are many sources like Open Streetcam and Shodan, these two I have found to be the best at what they do. Open Streetcam offers us the ability to identify and access security and traffic cameras that are exposed to the internet. While it’s a bit hit and miss (missing more often than not), Open Streetcam under the right circumstances offers us the ability to recon a building and, if the stars align, monitor it from the comfort of our own home office (and did I mention you can use it as a google earth overlay?). Shodan on the other hand, offers us the same potential and so much more. While most people are familiar with Shodan, an internet scanning service that allows users to search the majority of the internet for connected devices, I don’t think anyone fully grasps its full utility for Physical Security Testing. Using Shodan I have found countless security cameras, burglar alarm panels and other pieces of Physical Security Equipment exposed to the internet and ripe for compromise. If you recall I mentioned Shodan briefly in the context of recon-ng. Luckily for us Physical Security Testers, Shodan allows us to filter our searches to a geographic area, and because it is supported by recon-ng we can overlay its findings on the same map as our social media mining. I personally find it essential to check for internet exposed hardware whenever I do a Physical Security engagement.

ZeroDayLab is often engaged by our clients to carry out Physical Security Penetration Tests and Site Surveys on their various facilities. To ensure that we use our time onsite as efficiently as possible and that we deliver our clients as thorough and informative a report as possible, we have developed an Open Source Intelligence gathering methodology to gather as much pertinent information to a physical attacker as possible, before we even arrive on site. This blog should have helped you understand how Operational Security can have a huge Impact on Physical Security and how much of a force multiplier OSINT can be when conducting Physical Security Engagements.