what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Eikon Thomson Reuters 4.0.42144 File Permissions

Eikon Thomson Reuters 4.0.42144 File Permissions
Posted Aug 27, 2020
Authored by Khalil Bijjou | Site sec-consult.com

Eikon Thomson Reuters version 4.0.42144 suffers from a weak permissions issue that can lead to code execution.

tags | exploit, code execution
advisories | CVE-2019-10679
SHA-256 | cefd3a573b7ca1df14112830ceb07fbac0edea5f7fa5c698ca9c4056ae2633cc

Eikon Thomson Reuters 4.0.42144 File Permissions

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20200826-0 >
=======================================================================
title: Extensive file permissions on service executable
product: Eikon Thomson Reuters
vulnerable version: 4.0.42144
fixed version: -
CVE number: CVE-2019-10679
impact: High
homepage: eikon.thomsonreuters.com
found: 2019-03-18
by: Khalil Bijjou (Office CH)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Eikon is the financial analysis desktop and mobile solution that connects you t
relevant, trusted content, Reuters news, markets, liquidity pools, and colleagues."

Source: https://www.refinitiv.com/en/products/spot-matching-forwards-matching


Business recommendation:
------------------------
As long as the vendor did not release a patch for this vulnerability, we recommend
moving Eikon Thomson Reuters to a separate system outside the domain to which users
can connect to. Furthermore, we recommend to closely monitor any activities related
to Eikon Thomson Reuters.


Vulnerability overview/description:
-----------------------------------
The current file permissions of the directory
"C:\Program Files (x86)\Thomson Reuters)\Eikon" allow users of the group
Authenticated Users to modify files in the folder. As these files are executed
by the service that runs with SYSTEM privileges, it is possible to escalate
privileges and create a new user with administrator privileges.


Proof of concept:
-----------------
The service's executable file is writeable by members of the Authenticated
Users group. A user can create a malicious file that for example creates a
new user and adds him to the Administrators group and replace the service's
executable file with it.

As the service runs in the SYSTEM users context, the malicious file will be
executed the next time the service is started. As the SYSTEM user has the
highest privileges, the mentioned actions are successfully performed and a new
user will be created and added to the administrators group.

Creating a new user represents only an example. Other critical actions can be
performed instead.


Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available at
the time of discovery:
* 4.0.42144


Vendor contact timeline:
------------------------
2019-04-09: Contacting vendor through the contact form in the homepage.
Service request number is 07521820.
2019-04-09: Received reply that they will supply a security contact.
2019-04-16: Sent reminder as no security contact has been supplied yet.
2019-04-23: Sent reminder #2.
2019-04-23: Vendor replied: "Thank you for your reminder, the release
date has been duly noted. As previously mentioned, I have
transferred your query to our security specialists already,
they will reach out to you if they deem it necessary."
2020-08-26: Release of security advisory.


Solution:
---------
As the vendor has not responded to any of our further requests, we are
currently unaware, whether a fix has been published or not. In any case,
we recommend to run the application on a separate server to which users
have to connect (e.g. via RDP).


Workaround:
-----------
We recommend enabling write permissions to administrative users only
and to adhere to updating best practices.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Khalil Bijjou / @2020


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close