API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 20th, 2018
753
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.41 KB | None | 0 0
raw download clone embed print report
  1.  
  2. ZeroDayLab click here to return home
  3. About UsServicesSolutionsResourcesNews & Events
  4. View our Facebook Page View our LinkedIn account View our Twitter account
  5. Monday, 17 September 2018
  6. ZeroDayLab Discovers EE Local Privilege Escalation Vulnerability CVE-2018-14327
  7. EE forms part of BT Group, the largest digital communications company in UK, and boasts of serving more than 31 million connections across its mobile, fixed and wholesale networks. But it was a flaw in EE’s 4G Mini WiFi modem that caught the eye of ZeroDayLab Security Consultants, and that when installed weakened the customers defenses. As a result of the vulnerability cyber criminals would be able to bypass access permissions and gain full administrative/system rights by escalating privileges, once they have gained access to the EE customer’s Laptop or PC. This means the cyber criminal is able to perform any number of malicious actions, such as planting Malware, Rootkits, Log key strokes or stealing personal information.
  8.  
  9.  
  10. In this article we take you through the vulnerability found by ZeroDayLab and the action EE customers need to take to apply the patch to fix this vulnerability.
  11.  
  12. EE customers have been going about their business up and down the country, connecting to the web while on the move oblivious to the potential danger that their latest gadget has been exposing them to. ZeroDayLab’s Chief Technical Officer Paul Brereton said “by installing the EE modem, users have been unwittingly significantly weakening the security of their operating environment (Windows), allowing a local attacker, malicious application or targeted malware to gain full unrestricted administrative access to the operating environment and bypassing the protections in place.”
  13.  
  14. The vulnerability discovered by ZeroDayLab is exploitable with relatively little effort from a potential cyber criminal – the level of sophistication and effort required to execute this attack is minimal, making this a significant vulnerability.
  15.  
  16. ZeroDayLab took the decision not to disclose this vulnerability without first working with EE to find a suitable patch. This vulnerability was discovered by one of ZeroDayLab’s Security Consultants, Osanda Malith Jayathissa (@OsandaMalith). Here Osanda talks you through the details of the vulnerability and the resulting patch from EE below.
  17.  
  18. The Vulnerability
  19. The EE 4G WiFi Modem installs a service called Alcatel OSPREY3_MINI Modem Device Helper (The modem is manufactured by Alcatel). It’s here that we found the unquoted service path vulnerability.
  20.  
  21. C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
  22. [SC] QueryServiceConfig SUCCESS
  23.  
  24. SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
  25. TYPE : 110 WIN32_OWN_PROCESS (interactive)
  26. START_TYPE : 2 AUTO_START
  27. ERROR_CONTROL : 1 NORMAL
  28. BINARY_PATH_NAME : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
  29. LOAD_ORDER_GROUP :
  30. TAG : 0
  31. DISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper
  32. DEPENDENCIES :
  33. SERVICE_START_NAME : LocalSystem
  34.  
  35.  
  36. You can’t directly write files because of folder permissions, which at first sight would suggest this issue isn’t worthy of being reported. If however you look at the folder permissions of the “EE40” folder and low and behold, these had been set to “Everyone:(OI)(CI)(F)”. The result being that any user can read, write, execute, create, delete or do any number or malicious actions inside that folder and its subfolders. The ACL rules had OI – Object Inherit and CI – Container Inherit which means all the files in this folder and subfolders have full permissions.
  37.  
  38. C:\Program Files (x86)\Web Connecton>icacls EE40
  39. EE40 Everyone:(OI)(CI)(F)
  40. NT SERVICE\TrustedInstaller:(I)(F)
  41. NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
  42. NT AUTHORITY\SYSTEM:(I)(F)
  43. NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
  44. BUILTIN\Administrators:(I)(F)
  45. BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
  46. BUILTIN\Users:(I)(RX)
  47. BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
  48. CREATOR OWNER:(I)(OI)(CI)(IO)(F)
  49. APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
  50. APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
  51. APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
  52. APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
  53.  
  54. Successfully processed 1 files; Failed processing 0 files
  55.  
  56. C:\Program Files (x86)\Web Connecton>
  57. C:\Program Files (x86)\Web Connecton>
  58. C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService
  59. EE40\BackgroundService Everyone:(OI)(CI)(F)
  60. Everyone:(I)(OI)(CI)(F)
  61. NT SERVICE\TrustedInstaller:(I)(F)
  62. NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
  63. NT AUTHORITY\SYSTEM:(I)(F)
  64. NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
  65. BUILTIN\Administrators:(I)(F)
  66. BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
  67. BUILTIN\Users:(I)(RX)
  68. BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
  69. CREATOR OWNER:(I)(OI)(CI)(IO)(F)
  70. APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
  71. APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
  72. APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
  73. APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
  74.  
  75. Successfully processed 1 files; Failed processing 0 files
  76.  
  77. Since “ServiceManager.exe” executable is a Windows service, by planting a malicious program with the same name “ServiceManager.exe” would result in executing the binary as “NT AUTHORITY\SYSTEM” giving highest privileges in a Windows operating system. This vulnerability can be used to escalate privileges in a Windows operating system locally. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as “NT AUTHORITY\SYSTEM” by giving the attacker full system access to the remote PC.
  78.  
  79. And now for the fix.
  80. Updating to the Patched Version
  81. The vulnerable software version is “EE40_00_02.00_44”
  82.  
  83.  
  84.  
  85.  
  86. After reporting the vulnerability to EE, they have released a patch to update the modem. Follow these steps to update your modem to the latest patch update.
  87.  
  88. 1. Go to your router’s default gateway: http://192.168.1.1.
  89. 2. Click on the “Check for Update” text to update your firmware.
  90.  
  91. After updating, the patched software version is “EE40_00_02.00_45” and remove the previously installed software from your computer.
  92.  
  93.  
  94.  
  95.  
  96.  
  97.  
  98.  
  99. Disclosure Timeline
  100.  
  101. 05-07-2018: The ZeroDayLab Consultant (Osanda Malith Jayathissa), reported the issue to EE via twitter
  102. 05-07-2018: Reported to Alcatel via email.
  103. 12-07-2018: Osanda Malith Jayathissa contacted MITRE.
  104. 16-07-2018: CVE assigned CVE-2018-14327.
  105. 25-07-2018: EE contacted Osanda Malith Jayathissa via email for more technical details.
  106. 26-07-2018: Phone call between Osanda Malith Jayathissa and EE to discuss the vulnerability further.
  107. 26-07-2018: EE confirms that patch will go live within one week.
  108. 03-08-2018: Osanda Malith Jayathissa contacted EE for an update on the patch and EE stated that they will respond with more information by Friday 10th of August.
  109. 10-08-2018: EE said that patch had been delayed and will notify Osanda Malith Jayathissa with an update.
  110. 23-08-2018: EE replies with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab Consultant confirmed the patch was working successfully.
  111. 03-09-2018: EE notified Osanda Malith Jayathissa saying the patch was released.
  112.  
  113.  
  114.  
  115. About ZeroDayLab
  116.  
  117. ZeroDayLab is a CREST accredited IT Security consultancy whose sole purpose is to help reduce the risk of cyber-attack and data breaches in your business. In doing so, we help to protect your business from loss of revenue, reputational damage, regulatory fines and disruption to operations.
  118.  
  119. Our success has meant we now work with some of the biggest and most influential global organisations, across almost every industry, including Financial Services, E-business, Retail, Telco, Travel & Leisure, Pharmaceuticals, Defense and Transport.
  120.  
  121. Many of our clients say that they choose us because of our unique approach to Total Security Management, that enables us to cater for all your Ethical Hacking, Governance, Risk, and Compliance, Education & Training, and Managed Service needs. We do this in a way that is appropriate, proportionate and right for the level of risk in your business. On time, every-time, and always in budget.
  122.  
  123. We deliver these services together with a dedicated team, made up of the very best industry talent, who consistently deliver the highest level of service to our clients. Our approach will provide you with detailed reporting and the actionable insights you need to prioritise and reduce risk at the fastest possible rate.
  124.  
  125. at 13:49
  126. Email This
  127. BlogThis!
  128. Share to Twitter
  129. Share to Facebook
  130. Share to Pinterest
  131.  
  132. No comments:
  133. Post a Comment
  134.  
  135. Older Post Home
  136. Subscribe to: Post Comments (Atom)
  137. Ethical Hacking
  138. Ethical Hacking
  139. Education & Training
  140. Education & Training
  141. Governance, Risk & Compliance
  142. Governance, Risk & Compliance
  143. Managed Services
  144. Managed Services
  145. Blog Archive
  146. Sep 2018 (1)
  147. Jul 2018 (3)
  148. Jun 2018 (2)
  149. May 2018 (1)
  150. Mar 2018 (1)
  151. Feb 2018 (2)
  152. Dec 2017 (2)
  153. Sep 2017 (3)
  154. Aug 2017 (2)
  155. Jun 2017 (2)
  156. May 2017 (1)
  157. Feb 2017 (1)
  158. Dec 2016 (2)
  159. Nov 2016 (4)
  160. Oct 2016 (1)
  161. Sep 2016 (4)
  162. Aug 2016 (4)
  163. Jul 2016 (3)
  164. Jun 2016 (4)
  165. May 2016 (4)
  166. Apr 2016 (2)
  167. Mar 2016 (3)
  168. Feb 2016 (4)
  169. Jan 2016 (8)
  170. Dec 2015 (6)
  171. Nov 2015 (5)
  172. Oct 2015 (5)
  173. Sep 2015 (3)
  174. Aug 2015 (6)
  175. Jul 2015 (7)
  176. Jun 2015 (4)
  177. May 2015 (4)
  178. Apr 2015 (2)
  179. Mar 2015 (8)
  180. Feb 2015 (8)
  181. Jan 2015 (7)
  182. Dec 2014 (12)
  183. Nov 2014 (6)
  184. Contributors
  185. Alison Prangnell
  186. Paul Brereton
  187. Zerodaylab
  188. Zero Day Lab
  189. 2014 All Rights Reserved
  190. Keep In Touch
  191.  
  192. info@zerodaylab.com
  193. Call: +44(0)207 979 2067
  194.  
  195. Send us a message online >
  196. Quick Links
  197.  
  198. About Us
  199. Solutions
  200. Resources
  201. T&C's
  202. News & Events
  203. Security News
  204. Exploits
  205. Privacy Policy
  206. Ethical Hacking
  207. Education & Training
  208. Consulting
  209. Governance, Risk & Compliance
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!