=======================================================================
title: Extensive file permissions on service executable
product: Eikon Thomson Reuters
vulnerable version: 4.0.42144
fixed version: -
CVE number: CVE-2019-10679
impact: High
homepage: eikon.thomsonreuters.com
found: 2019-03-18
by: Khalil Bijjou (Office CH)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Eikon is the financial analysis desktop and mobile solution that
connects you t
relevant, trusted content, Reuters news, markets, liquidity pools,
and colleagues."
Source: https://www.refinitiv.com/en/products/spot-matching-forwards-matching
Business recommendation:
------------------------
As long as the vendor did not release a patch for this
vulnerability, we recommend
moving Eikon Thomson Reuters to a separate system outside the
domain to which users
can connect to. Furthermore, we recommend to closely monitor any
activities related
to Eikon Thomson Reuters.
Vulnerability overview/description:
-----------------------------------
The current file permissions of the directory
"C:\Program Files (x86)\Thomson Reuters)\Eikon" allow users of the
group
Authenticated Users to modify files in the folder. As these files
are executed
by the service that runs with SYSTEM privileges, it is possible to
escalate
privileges and create a new user with administrator privileges.
Proof of concept:
-----------------
The service's executable file is writeable by members of the
Authenticated
Users group. A user can create a malicious file that for example
creates a
new user and adds him to the Administrators group and replace the
service's
executable file with it.
As the service runs in the SYSTEM users context, the malicious
file will be
executed the next time the service is started. As the SYSTEM user
has the
highest privileges, the mentioned actions are successfully
performed and a new
user will be created and added to the administrators group.
Creating a new user represents only an example. Other critical
actions can be
performed instead.
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version
available at
the time of discovery:
* 4.0.42144
Vendor contact timeline:
------------------------
2019-04-09: Contacting vendor through the contact form in the
homepage.
Service request number is 07521820.
2019-04-09: Received reply that they will supply a security
contact.
2019-04-16: Sent reminder as no security contact has been supplied
yet.
2019-04-23: Sent reminder #2.
2019-04-23: Vendor replied: "Thank you for your reminder, the
release
date has been duly noted. As previously mentioned, I have
transferred your query to our security specialists already,
they will reach out to you if they deem it necessary."
2020-08-26: Release of security advisory.
Solution:
---------
As the vendor has not responded to any of our further requests, we
are
currently unaware, whether a fix has been published or not. In any
case,
we recommend to run the application on a separate server to which
users
have to connect (e.g. via RDP).
Workaround:
-----------
We recommend enabling write permissions to administrative users
only
and to adhere to updating best practices.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC
Consult. It
ensures the continued knowledge gain of SEC Consult in the field of
network
and application security to stay ahead of the attacker. The SEC
Consult
Vulnerability Lab supports high-quality penetration testing and the
evaluation
of new offensive and defensive technologies for our customers.
Hence our
customers obtain the most current information about vulnerabilities
and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application
https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of
SEC Consult?
Contact our local offices
https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Khalil Bijjou / @2020
