Shulou(Shulou.com)05/31 Report--

Many novices are not very clear about how to analyze the loopholes in the local rights enhancement of EE 4GEE Mini. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

Preface

I bought a 4G modem some time ago. This is a portable 4G WiFi mobile broadband modem. One day, I looked at the troubleshooting service installed on my computer, and I saw a strange service called "Alcatel OSPREY3_MINI Modem Device Helper". I wanted to know what this was, and then I thought it might be my EE 4G WiFi modem. Then I searched Google for a while, and the modem was made by Alcatel.

Then I looked at the installed service out of curiosity and found that there was a vulnerability.

C:\ > sc qc "Alcatel OSPREY3_MINI Modem Device Helper" [SC] QueryServiceConfig SUCCESSSERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper TYPE: 110 WIN32_OWN_PROCESS (interactive) START_TYPE: 2 AUTO_START ERROR_CONTROL: 1 NORMAL BINARY_PATH_NAME: C:\ Program Files (x86)\ Web Connecton\ EE40\ BackgroundService\ ServiceManager.exe-start LOAD_ORDER_GROUP : TAG: 0 DISPLAY_NAME: Alcatel OSPREY3_MINI Modem Device Helper DEPENDENCIES: SERVICE_START_NAME: LocalSystem

However, due to permission problems with the folder, you cannot write the file directly. At first I thought it wasn't a problem. But when I checked the "EE40" folder and W00t's folder permissions! It is set to "Everyone: (OI) (CI) (F)", which means that any user can read, write, execute, create, or delete anything in this folder, which is a subfolder. ACL rules have OI object inheritance and CI container inheritance, which means that all files in this folder and subfolders have the same permissions.

C:\ Program Files (x86)\ Web Connecton > icacls EE40EE40 Everyone: (OI) (CI) (F) NT SERVICE\ TrustedInstaller: (I) (F) NT SERVICE\ TrustedInstaller: (I) (CI) (IO) (F) NT AUTHORITY\ SYSTEM: (I) (F) NT AUTHORITY\ SYSTEM: (I) (OI) (CI) (IO) (F) BUILTIN\ Administrators: (I) BUILTIN\ Administrators: (I) (OI) (CI) (IO) (F) BUILTIN\ Users: (I) (RX) BUILTIN\ Users: (I) (OI) (CI) (IO) (GR GE) CREATOR OWNER: (I) (OI) (CI) (IO) (F) APPLICATION PACKAGE AUTHORITY\ ALL APPLICATION PACKAGES: (I) (RX) APPLICATION PACKAGE AUTHORITY\ ALL APPLICATION PACKAGES: (I) (OI) (CI) (GR,GE) APPLICATION PACKAGE AUTHORITY\ ALL RESTRICTED APPLICATION PACKAGES: (I) (RX) APPLICATION PACKAGE AUTHORITY\ ALL RESTRICTED APPLICATION PACKAGES: (I) (OI) (CI) (IO) (GR,GE) Successfully processed 1 files Failed processing 0 filesC:\ Program Files (x86)\ Web Connecton > C:\ Program Files (x86)\ Web Connecton > C:\ Program Files (x86)\ Web Connecton > icacls EE40\ BackgroundServiceEE40\ BackgroundService Everyone: (OI) (CI) (F) Everyone: (I) (OI) (CI) (F) NT SERVICE\ TrustedInstaller: (I) (F) NT SERVICE\ TrustedInstaller: (I) (CI) ( IO) (F) NT AUTHORITY\ SYSTEM: (I) (F) NT AUTHORITY\ SYSTEM: (I) (OI) (CI) (IO) (F) BUILTIN\ Administrators: (I) (F) BUILTIN\ Administrators: (I) (OI) (CI) (IO) BUILTIN\ Users: (I) (RX) BUILTIN\ Users: (I) (OI) (CI) (IO) (GR GE) CREATOR OWNER: (I) (OI) (CI) (IO) (F) APPLICATION PACKAGE AUTHORITY\ ALL APPLICATION PACKAGES: (I) (RX) APPLICATION PACKAGE AUTHORITY\ ALL APPLICATION PACKAGES: (I) (OI) (CI) (IO) (GR GE) APPLICATION PACKAGE AUTHORITY\ ALL RESTRICTED APPLICATION PACKAGES: (I) (RX) APPLICATION PACKAGE AUTHORITY\ ALL RESTRICTED APPLICATION PACKAGES: (I) (OI) (CI) (IO) (GR,GE) Successfully processed 1 files Failed processing 0 files

Because "ServiceManager. Exe" is a Windows service executable, implanting a malicious program "ServiceManager.exe" with the same name will cause the execution binaries to be "NT AUTHORITY\ SYSTEM", granting the highest permissions in the Windows operating system. This vulnerability can be used to escalate privileges in the local Windows operating system. For example, an attacker can plant a reverse shell from a low-privileged user account, and by restarting the computer, the malicious service will start as "NT AUTHORITY\ SYSTEM", giving the attacker full systematic access to the remote PC.

Repair firmware

The vulnerable software version is "EE40_00_02.00_44":

After reporting the vulnerability to EE, they released a patch to update the modem. Follow these steps to update the modem to the latest patch. 1. Enter the default gateway of the router: http://192.168.1.12. Click the check for updates text to update the firmware. The updated patch version is "EE40_00_02.00_45" to remove previously installed software from your computer.

Manually repair the hole

1. Type "regedit" at the start menu or run prompt to open the Windows Registry Editor. two。 Go to this path: Computer\ HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ Alcatel OSPREY3_MINI Modem Device Helper3. Add double quotation marks to the "ImagePath" value: "C:\ Program Files (x86)\ Web Connecton\ EE40\ BackgroundService\ ServiceManager.exe-start"

This can also be done in this way. You must open a CMD prompt with administrative privileges and run this command. For 64-bit Windows:reg add "HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ Alcatel OSPREY3_MINI Modem Device Helper" / v ImagePath / t REG_EXPAND_SZ / d "\" C:\ Program Files (x86)\ Web Connecton\ EE40\ BackgroundService\ ServiceManager.exe-start\ "/ f for 32-bit Windows:reg add" HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ Alcatel OSPREY3_MINI Modem Device Helper "/ v ImagePath / t REG_EXPAND_SZ / d"\ "C :\ Program Files\ Web Connecton\ EE40\ BackgroundService\ ServiceManager.exe-start\ "/ f

Manually fix folder permissions

Open the CMD prompt, go to the location of the Alcatel modem service, and enter the following command.

Cd "C:\ Program Files\ Web Connecton\" icacls "EE40" / t / grant:r Everyone: (OI) (CI) R Disclosure schedule

05-07-2018: ZeroDayLab consultant (Osanda Malith Jayathissa) reported this issue to EE via twitter 05-07-2018: report to Alcatel by email. 12-07-2018: Osanda Malith Jayathissa contact MITRE. 16-07-2018: CVE specifies CVE-2018-14327. 25-07-2018: EE contacted Osanda Malith Jayathissa by email for more technical details. 26-07-2018: call Osanda Malith Jayathissa and EE to discuss the vulnerability further. 26-07-2018: EE confirms that the patch will be available within a week. 03-08-2018: Osanda Malith Jayathissa contacted EE to update the patch, and EE said they would provide more information by Friday, August 10th. 10-08-2018: EE indicates that patch has been postponed and will notify Osanda Malith Jayathissa of the update. 23-08-2018: EE replied with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab consultant confirmed the successful operation of the patch. 03-09-2018: EE informs Osanda Malith Jayathissa that the patch has been released.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.