EE 4GEE Mini Local Privilege Escalation Vulnerability

🗓️ 25 Sep 2018 00:00:00Reported by Osanda MalithType

zdt🔗 0day.today👁 45 Views

EE 4GEE Mini Local Privilege Escalation Vulnerability on Windows 10 64-bit and Windows 7 64-bit with Unquoted Service Path Vulnerability and Weak Folder Permission

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2018-14327	22 Sep 201823:09	–	circl
CNVD	4GEE WiFi Mini Local Privilege Vulnerability	27 Sep 201800:00	–	cnvd
CVE	CVE-2018-14327	26 Sep 201822:00	–	cve
Cvelist	CVE-2018-14327	26 Sep 201822:00	–	cvelist
Exploit DB	EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation	27 Sep 201800:00	–	exploitdb
EUVD	EUVD-2018-6249	7 Oct 202500:30	–	euvd
exploitpack	EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation	27 Sep 201800:00	–	exploitpack
NVD	CVE-2018-14327	26 Sep 201822:29	–	nvd
OSV	CVE-2018-14327	26 Sep 201822:29	–	osv
Packet Storm	EE 4GEE Mini Local Privilege Escalation	25 Sep 201800:00	–	packetstorm

# Title:             EE 4GEE Mini Local Privilege Escalation Vulnerability 
# Software Version:  EE40_00_02.00_44
# Tested on:         Windows 10 64-bit and Windows 7 64-bit
# Exploit Author:    Osanda Malith Jayathissa (@OsandaMalith)
# Original Advisory: http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html
# Original Write-up: https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/
# CVE: CVE-2018-14327 

Unquoted Service Path Vulnerability
-----------------------------------

C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Alcatel OSPREY3_MINI Modem Device Helper
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


Weak Folder Permissions
------------------------

C:\Program Files (x86)\Web Connecton>icacls EE40
EE40 Everyone:(OI)(CI)(F)
     NT SERVICE\TrustedInstaller:(I)(F)
     NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
     NT AUTHORITY\SYSTEM:(I)(F)
     NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
     BUILTIN\Administrators:(I)(F)
     BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
     BUILTIN\Users:(I)(RX)
     BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
     CREATOR OWNER:(I)(OI)(CI)(IO)(F)
     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
 
Successfully processed 1 files; Failed processing 0 files
 
C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService
EE40\BackgroundService Everyone:(OI)(CI)(F)
                       Everyone:(I)(OI)(CI)(F)
                       NT SERVICE\TrustedInstaller:(I)(F)
                       NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                       NT AUTHORITY\SYSTEM:(I)(F)
                       NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                       BUILTIN\Administrators:(I)(F)
                       BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                       BUILTIN\Users:(I)(RX)
                       BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                       CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                       APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                       APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                       APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                       APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
 
Successfully processed 1 files; Failed processing 0 files

Disclosure Timeline
---------------------
05-07-2018: The ZeroDayLab Consultant (Osanda Malith Jayathissa), reported the issue to EE via twitter
05-07-2018: Reported to Alcatel via email.
12-07-2018: Osanda Malith Jayathissa contacted MITRE.
16-07-2018: CVE assigned CVE-2018-14327.
25-07-2018: EE contacted Osanda Malith Jayathissa via email for more technical details.
26-07-2018: Phone call between Osanda Malith Jayathissa and EE to discuss the vulnerability further.
26-07-2018: EE confirms that patch will go live within one week.
03-08-2018: Osanda Malith Jayathissa contacted EE for an update on the patch and EE stated that they will respond with more information by Friday 10th of August.
10-08-2018: EE said that patch had been delayed and will notify Osanda Malith Jayathissa with an update.
23-08-2018: EE replies with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab Consultant confirmed the patch was working successfully.
03-09-2018: EE notified Osanda Malith Jayathissa saying the patch was released.

References
-----------
https://www.theregister.co.uk/2018/09/19/ee_modem_vuln/
https://thehackernews.com/2018/09/4g-ee-wifi-modem-hack.html

#  0day.today [2018-09-25]  #

25 Sep 2018 00:00Current

EPSS0.00792