Monday, 17 September 2018

ZeroDayLab Discovers EE Local Privilege Escalation Vulnerability CVE-2018-14327

EE forms part of BT Group, the largest digital communications company in UK, and boasts of serving more than 31 million connections across its mobile, fixed and wholesale networks. But it was a flaw in EE’s 4G Mini WiFi modem that caught the eye of ZeroDayLab Security Consultants, and that when installed weakened the customers defenses. As a result of the vulnerability cyber criminals would be able to bypass access permissions and gain full administrative/system rights by escalating privileges, once they have gained access to the EE customer’s Laptop or PC. This means the cyber criminal is able to perform any number of malicious actions, such as planting Malware, Rootkits, Log key strokes or stealing personal information.

In this article we take you through the vulnerability found by ZeroDayLab and the action EE customers need to take to apply the patch to fix this vulnerability.

EE customers have been going about their business up and down the country, connecting to the web while on the move oblivious to the potential danger that their latest gadget has been exposing them to. ZeroDayLab’s Chief Technical Officer Paul Brereton said “by installing the EE modem, users have been unwittingly significantly weakening the security of their operating environment (Windows), allowing a local attacker, malicious application or targeted malware to gain full unrestricted administrative access to the operating environment and bypassing the protections in place.”

The vulnerability discovered by ZeroDayLab is exploitable with relatively little effort from a potential cyber criminal – the level of sophistication and effort required to execute this attack is minimal, making this a significant vulnerability.

ZeroDayLab took the decision not to disclose this vulnerability without first working with EE to find a suitable patch. This vulnerability was discovered by one of ZeroDayLab’s Security Consultants, Osanda Malith Jayathissa (@OsandaMalith). Here Osanda talks you through the details of the vulnerability and the resulting patch from EE below.

The Vulnerability
The EE 4G WiFi Modem installs a service called Alcatel OSPREY3_MINI Modem Device Helper (The modem is manufactured by Alcatel). It’s here that we found the unquoted service path vulnerability.

C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Alcatel OSPREY3_MINI Modem Device Helper
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


You can’t directly write files because of folder permissions, which at first sight would suggest this issue isn’t worthy of being reported. If however you look at the folder permissions of the “EE40” folder and low and behold, these had been set to “Everyone:(OI)(CI)(F)”. The result being that any user can read, write, execute, create, delete or do any number or malicious actions inside that folder and its subfolders. The ACL rules had OI – Object Inherit and CI – Container Inherit which means all the files in this folder and subfolders have full permissions.

C:\Program Files (x86)\Web Connecton>icacls EE40
EE40 Everyone:(OI)(CI)(F)
     NT SERVICE\TrustedInstaller:(I)(F)
     NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
     NT AUTHORITY\SYSTEM:(I)(F)
     NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
     BUILTIN\Administrators:(I)(F)
     BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
     BUILTIN\Users:(I)(RX)
     BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
     CREATOR OWNER:(I)(OI)(CI)(IO)(F)
     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService
EE40\BackgroundService Everyone:(OI)(CI)(F)
                       Everyone:(I)(OI)(CI)(F)
                       NT SERVICE\TrustedInstaller:(I)(F)
                       NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                       NT AUTHORITY\SYSTEM:(I)(F)
                       NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                       BUILTIN\Administrators:(I)(F)
                       BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                       BUILTIN\Users:(I)(RX)
                       BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                       CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                       APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                       APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                       APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                       APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

Since “ServiceManager.exe” executable is a Windows service, by planting a malicious program with the same name “ServiceManager.exe” would result in executing the binary as “NT AUTHORITY\SYSTEM” giving highest privileges in a Windows operating system. This vulnerability can be used to escalate privileges in a Windows operating system locally. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as “NT AUTHORITY\SYSTEM” by giving the attacker full system access to the remote PC.

And now for the fix.

Updating to the Patched Version

The vulnerable software version is “EE40_00_02.00_44”



After reporting the vulnerability to EE, they have released a patch to update the modem. Follow these steps to update your modem to the latest patch update.

1.       Go to your router’s default gateway: http://192.168.1.1.       
2.    Click on the “Check for Update” text to update your firmware.

After updating, the patched software version is “EE40_00_02.00_45” and remove the previously installed software from your computer.






Disclosure Timeline

05-07-2018: The ZeroDayLab Consultant (Osanda Malith Jayathissa), reported the issue to EE via twitter
05-07-2018: Reported to Alcatel via email.
12-07-2018: Osanda Malith Jayathissa contacted MITRE.
16-07-2018: CVE assigned CVE-2018-14327.
25-07-2018: EE contacted Osanda Malith Jayathissa via email for more technical details.
26-07-2018: Phone call between Osanda Malith Jayathissa and EE to discuss the vulnerability further.
26-07-2018: EE confirms that patch will go live within one week.
03-08-2018: Osanda Malith Jayathissa contacted EE for an update on the patch and EE stated that they will respond with more information by Friday 10th of August.
10-08-2018: EE said that patch had been delayed and will notify Osanda Malith Jayathissa with an update.
23-08-2018: EE replies with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab Consultant confirmed the patch was working successfully.
03-09-2018: EE notified Osanda Malith Jayathissa saying the patch was released.



About ZeroDayLab

ZeroDayLab is a CREST accredited IT Security consultancy whose sole purpose is to help reduce the risk of cyber-attack and data breaches in your business. In doing so, we help to protect your business from loss of revenue, reputational damage, regulatory fines and disruption to operations.

Our success has meant we now work with some of the biggest and most influential global organisations, across almost every industry, including Financial Services, E-business, Retail, Telco, Travel & Leisure, Pharmaceuticals, Defense and Transport.

Many of our clients say that they choose us because of our unique approach to Total Security Management, that enables us to cater for all your Ethical Hacking, Governance, Risk, and Compliance, Education & Training, and Managed Service needs. We do this in a way that is appropriate, proportionate and right for the level of risk in your business. On time, every-time, and always in budget.

We deliver these services together with a dedicated team, made up of the very best industry talent, who consistently deliver the highest level of service to our clients. Our approach will provide you with detailed reporting and the actionable insights you need to prioritise and reduce risk at the fastest possible rate.

29 comments:

  1. the article is good to study and really enjoying that.its help me to improve my knowledge and skills also.im really satisfied in this session.
    ethical hacking in chennai
    ethical hacking training in coimbatore
    ethical hacking training in bangalore

    ReplyDelete
  2. Nice post. Thanks for sharing! I want people to know just how good this information is in your article. It’s interesting content and Great work.
    Thanks & Regards,
    VRIT Professionals,
    No.1 Leading Web Designing Training Institute In Chennai.

    And also those who are looking for
    Web Designing Training Institute in Chennai
    SEO Training Institute in Chennai
    Photoshop Training Institute in Chennai
    PHP & Mysql Training Institute in Chennai
    Android Training Institute in Chennai

    ReplyDelete
  3. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.
    AWS training in chennai

    ReplyDelete
  4. Nice post!Everything about the future(học toán cho trẻ mẫu giáo) is uncertain, but one thing is certain: God has set tomorrow for all of us(toán mẫu giáo 5 tuổi). We must now trust him and in this regard, you must be(cách dạy bé học số) very patient.

    ReplyDelete
  5. Time is free but it's priceless(khóa học toán tư duy) . You cannot own it, but you can use it(cách dạy bé học số) . You can use it, but you can't keep it(toán tư duy logic là gì). Once you lose it, you will not be able to get it back.

    ReplyDelete
  6. Hey Nice Blog!! Thanks For Sharing!!!Wonderful blog & good post.Its really helpful for me, waiting for a more new post. Keep Blogging!
    SEO company in coimbatore
    SEO company
    web design company in coimbatore

    ReplyDelete
  7. The great service in this blog and the nice technology is visible in this blog. I am really very happy for the nice approach is visible in this blog and thank you very much for using the nice technology in this blog
    nebosh course in chennai
    offshore safety course in chennai

    ReplyDelete
  8. She noticed a wide variety of pieces, with the inclusion of what it is like to have an awesome helping style to have the rest without hassle grasp some grueling matters.
    safety course in chennai
    nebosh course in chennai

    ReplyDelete
  9. One of the best content i have found on internet for Data Science training in Chennai .Every point for Data Science training in Chennai is explained in so detail,So its very easy to catch the content for Data Science training in Chennai .keep sharing more contents for Trending Technologies and also updating this content for Data Science and keep helping others.
    Cheers !
    Thanks and regards ,
    Data Science course in Velachery
    Data Scientists course in chennai
    Best Data Science course in chennai
    Top data science institute in chennai

    ReplyDelete
  10. If you face any technical error with your Yahoo email, then you can directly talk to the yahoo technical expert by dialing Yahoo toll free number which is always available 24/7 and 367 days for yahoo mail users.

    ReplyDelete
  11. They are the supported browser with online QuickBooks, Chrome, Firefox, Internet Explorer 10, Safari 6.1, along with reachable via Chrome on Android and Safari on iOS 7. One may also contact QuickBooks Support Online via an iPhone, a BlackBerry, and an Android web app. Last year, Intuit launched a UK-specific sort of QuickBooks Online to supply support to your particular VAT and European tax system.

    ReplyDelete
  12. Thank you for sharing your article. Great efforts put it to find the list of articles which is very useful to know, Definitely will share the same to other forums.

    Business Analyst Training


    Wise Packaging Studio Training


    Installshield Training


    Linux Admin Training


    Microsoft SAAS Training

    ReplyDelete
  13. One of the best content i have found on internet for Data Science training in Chennai .Every point for Data Science training in Chennai is explained in so detail,So its very easy to catch the content for Data Science training in Chennai .keep sharing more contents for Trending Technologies and also updating this content for Data Science and keep helping others.
    Cheers !
    Thanks and regards ,
    DevOps course in Velachery
    DevOps course in chennai
    Best DevOps course in chennai
    Top DevOps institute in chennai

    ReplyDelete
  14. Appericated the efforts you put in the content of DevOps .The Content provided by you for DevOps is up to date and its explained in very detailed for DevOps like even beginers can able to catch.Requesting you to please keep updating the content on regular basis so the peoples who follwing this content for DevOps can easily gets the updated data.
    Thanks and regards,
    DevOps training in Chennai
    DevOps course in chennai with placement
    DevOps certification in chennai
    DevOps course in Omr

    ReplyDelete