EE 4GEE Mini Local Privilege Escalation

`# Title: EE 4GEE Mini Local Privilege Escalation Vulnerability   
# Date: 22-09-2018  
# Software Version: EE40_00_02.00_44  
# Tested on: Windows 10 64-bit and Windows 7 64-bit  
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)  
# Original Advisory: http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html  
# Original Write-up: https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/  
# CVE: CVE-2018-14327   
  
Unquoted Service Path Vulnerability  
-----------------------------------  
  
C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper  
TYPE : 110 WIN32_OWN_PROCESS (interactive)  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
  
Weak Folder Permissions  
------------------------  
  
C:\Program Files (x86)\Web Connecton>icacls EE40  
EE40 Everyone:(OI)(CI)(F)  
NT SERVICE\TrustedInstaller:(I)(F)  
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)  
NT AUTHORITY\SYSTEM:(I)(F)  
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)  
BUILTIN\Administrators:(I)(F)  
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)  
BUILTIN\Users:(I)(RX)  
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)  
CREATOR OWNER:(I)(OI)(CI)(IO)(F)  
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)  
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)  
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)  
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)  
  
Successfully processed 1 files; Failed processing 0 files  
  
C:\Program Files (x86)\Web Connecton>  
C:\Program Files (x86)\Web Connecton>  
C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService  
EE40\BackgroundService Everyone:(OI)(CI)(F)  
Everyone:(I)(OI)(CI)(F)  
NT SERVICE\TrustedInstaller:(I)(F)  
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)  
NT AUTHORITY\SYSTEM:(I)(F)  
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)  
BUILTIN\Administrators:(I)(F)  
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)  
BUILTIN\Users:(I)(RX)  
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)  
CREATOR OWNER:(I)(OI)(CI)(IO)(F)  
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)  
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)  
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)  
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)  
  
Successfully processed 1 files; Failed processing 0 files  
  
Disclosure Timeline  
---------------------  
05-07-2018: The ZeroDayLab Consultant (Osanda Malith Jayathissa), reported the issue to EE via twitter  
05-07-2018: Reported to Alcatel via email.  
12-07-2018: Osanda Malith Jayathissa contacted MITRE.  
16-07-2018: CVE assigned CVE-2018-14327.  
25-07-2018: EE contacted Osanda Malith Jayathissa via email for more technical details.  
26-07-2018: Phone call between Osanda Malith Jayathissa and EE to discuss the vulnerability further.  
26-07-2018: EE confirms that patch will go live within one week.  
03-08-2018: Osanda Malith Jayathissa contacted EE for an update on the patch and EE stated that they will respond with more information by Friday 10th of August.  
10-08-2018: EE said that patch had been delayed and will notify Osanda Malith Jayathissa with an update.  
23-08-2018: EE replies with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab Consultant confirmed the patch was working successfully.  
03-09-2018: EE notified Osanda Malith Jayathissa saying the patch was released.  
  
References  
-----------  
https://www.theregister.co.uk/2018/09/19/ee_modem_vuln/  
https://thehackernews.com/2018/09/4g-ee-wifi-modem-hack.html  
  
`