# Title: EE 4GEE Mini Local Privilege Escalation Vulnerability # Date: 22-09-2018 # Software Version: EE40_00_02.00_44 # Tested on: Windows 10 64-bit and Windows 7 64-bit # Exploit Author: Osanda Malith Jayathissa (@OsandaMalith) # Original Advisory: http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html # Original Write-up: https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/ # CVE: CVE-2018-14327 Unquoted Service Path Vulnerability ----------------------------------- C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper DEPENDENCIES : SERVICE_START_NAME : LocalSystem Weak Folder Permissions ------------------------ C:\Program Files (x86)\Web Connecton>icacls EE40 EE40 Everyone:(OI)(CI)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files C:\Program Files (x86)\Web Connecton> C:\Program Files (x86)\Web Connecton> C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService EE40\BackgroundService Everyone:(OI)(CI)(F) Everyone:(I)(OI)(CI)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files Disclosure Timeline --------------------- 05-07-2018: The ZeroDayLab Consultant (Osanda Malith Jayathissa), reported the issue to EE via twitter 05-07-2018: Reported to Alcatel via email. 12-07-2018: Osanda Malith Jayathissa contacted MITRE. 16-07-2018: CVE assigned CVE-2018-14327. 25-07-2018: EE contacted Osanda Malith Jayathissa via email for more technical details. 26-07-2018: Phone call between Osanda Malith Jayathissa and EE to discuss the vulnerability further. 26-07-2018: EE confirms that patch will go live within one week. 03-08-2018: Osanda Malith Jayathissa contacted EE for an update on the patch and EE stated that they will respond with more information by Friday 10th of August. 10-08-2018: EE said that patch had been delayed and will notify Osanda Malith Jayathissa with an update. 23-08-2018: EE replies with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab Consultant confirmed the patch was working successfully. 03-09-2018: EE notified Osanda Malith Jayathissa saying the patch was released. References ----------- https://www.theregister.co.uk/2018/09/19/ee_modem_vuln/ https://thehackernews.com/2018/09/4g-ee-wifi-modem-hack.html