Monday 17 September 2018

ZeroDayLab Discovers EE Local Privilege Escalation Vulnerability CVE-2018-14327

EE forms part of BT Group, the largest digital communications company in UK, and boasts of serving more than 31 million connections across its mobile, fixed and wholesale networks. But it was a flaw in EE’s 4G Mini WiFi modem that caught the eye of ZeroDayLab Security Consultants, and that when installed weakened the customers defenses. As a result of the vulnerability cyber criminals would be able to bypass access permissions and gain full administrative/system rights by escalating privileges, once they have gained access to the EE customer’s Laptop or PC. This means the cyber criminal is able to perform any number of malicious actions, such as planting Malware, Rootkits, Log key strokes or stealing personal information.

In this article we take you through the vulnerability found by ZeroDayLab and the action EE customers need to take to apply the patch to fix this vulnerability.

EE customers have been going about their business up and down the country, connecting to the web while on the move oblivious to the potential danger that their latest gadget has been exposing them to. ZeroDayLab’s Chief Technical Officer Paul Brereton said “by installing the EE modem, users have been unwittingly significantly weakening the security of their operating environment (Windows), allowing a local attacker, malicious application or targeted malware to gain full unrestricted administrative access to the operating environment and bypassing the protections in place.”

The vulnerability discovered by ZeroDayLab is exploitable with relatively little effort from a potential cyber criminal – the level of sophistication and effort required to execute this attack is minimal, making this a significant vulnerability.

ZeroDayLab took the decision not to disclose this vulnerability without first working with EE to find a suitable patch. This vulnerability was discovered by one of ZeroDayLab’s Security Consultants, Osanda Malith Jayathissa (@OsandaMalith). Here Osanda talks you through the details of the vulnerability and the resulting patch from EE below.

The Vulnerability
The EE 4G WiFi Modem installs a service called Alcatel OSPREY3_MINI Modem Device Helper (The modem is manufactured by Alcatel). It’s here that we found the unquoted service path vulnerability.

C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Alcatel OSPREY3_MINI Modem Device Helper
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


You can’t directly write files because of folder permissions, which at first sight would suggest this issue isn’t worthy of being reported. If however you look at the folder permissions of the “EE40” folder and low and behold, these had been set to “Everyone:(OI)(CI)(F)”. The result being that any user can read, write, execute, create, delete or do any number or malicious actions inside that folder and its subfolders. The ACL rules had OI – Object Inherit and CI – Container Inherit which means all the files in this folder and subfolders have full permissions.

C:\Program Files (x86)\Web Connecton>icacls EE40
EE40 Everyone:(OI)(CI)(F)
     NT SERVICE\TrustedInstaller:(I)(F)
     NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
     NT AUTHORITY\SYSTEM:(I)(F)
     NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
     BUILTIN\Administrators:(I)(F)
     BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
     BUILTIN\Users:(I)(RX)
     BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
     CREATOR OWNER:(I)(OI)(CI)(IO)(F)
     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService
EE40\BackgroundService Everyone:(OI)(CI)(F)
                       Everyone:(I)(OI)(CI)(F)
                       NT SERVICE\TrustedInstaller:(I)(F)
                       NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                       NT AUTHORITY\SYSTEM:(I)(F)
                       NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                       BUILTIN\Administrators:(I)(F)
                       BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                       BUILTIN\Users:(I)(RX)
                       BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                       CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                       APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                       APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                       APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                       APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

Since “ServiceManager.exe” executable is a Windows service, by planting a malicious program with the same name “ServiceManager.exe” would result in executing the binary as “NT AUTHORITY\SYSTEM” giving highest privileges in a Windows operating system. This vulnerability can be used to escalate privileges in a Windows operating system locally. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as “NT AUTHORITY\SYSTEM” by giving the attacker full system access to the remote PC.

And now for the fix.

Updating to the Patched Version

The vulnerable software version is “EE40_00_02.00_44”



After reporting the vulnerability to EE, they have released a patch to update the modem. Follow these steps to update your modem to the latest patch update.

1.       Go to your router’s default gateway: http://192.168.1.1.       
2.    Click on the “Check for Update” text to update your firmware.

After updating, the patched software version is “EE40_00_02.00_45” and remove the previously installed software from your computer.






Disclosure Timeline

05-07-2018: The ZeroDayLab Consultant (Osanda Malith Jayathissa), reported the issue to EE via twitter
05-07-2018: Reported to Alcatel via email.
12-07-2018: Osanda Malith Jayathissa contacted MITRE.
16-07-2018: CVE assigned CVE-2018-14327.
25-07-2018: EE contacted Osanda Malith Jayathissa via email for more technical details.
26-07-2018: Phone call between Osanda Malith Jayathissa and EE to discuss the vulnerability further.
26-07-2018: EE confirms that patch will go live within one week.
03-08-2018: Osanda Malith Jayathissa contacted EE for an update on the patch and EE stated that they will respond with more information by Friday 10th of August.
10-08-2018: EE said that patch had been delayed and will notify Osanda Malith Jayathissa with an update.
23-08-2018: EE replies with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab Consultant confirmed the patch was working successfully.
03-09-2018: EE notified Osanda Malith Jayathissa saying the patch was released.



About ZeroDayLab

ZeroDayLab is a CREST accredited IT Security consultancy whose sole purpose is to help reduce the risk of cyber-attack and data breaches in your business. In doing so, we help to protect your business from loss of revenue, reputational damage, regulatory fines and disruption to operations.

Our success has meant we now work with some of the biggest and most influential global organisations, across almost every industry, including Financial Services, E-business, Retail, Telco, Travel & Leisure, Pharmaceuticals, Defense and Transport.

Many of our clients say that they choose us because of our unique approach to Total Security Management, that enables us to cater for all your Ethical Hacking, Governance, Risk, and Compliance, Education & Training, and Managed Service needs. We do this in a way that is appropriate, proportionate and right for the level of risk in your business. On time, every-time, and always in budget.

We deliver these services together with a dedicated team, made up of the very best industry talent, who consistently deliver the highest level of service to our clients. Our approach will provide you with detailed reporting and the actionable insights you need to prioritise and reduce risk at the fastest possible rate.