Monday, December 15, 2014

Updates on CVE-2014-9113 and CVE-2014-9141


Quick update on the two CVE's that were published recently:

CVE-2014-9113

A security update has been released on 12/03/2014 to address the vulnerability in CCH Wolters Kluwer ProSystem fx Engagement. This update corrects the permissions on necessary application services. Please see the online release bulletin for instructions on how to apply the security update.

https://support.cch.com/updates/Engagement/pdf/Services%20Security%20Update%20-%20Release%20Bulletin%20-%20US.pdf


CVE-2014-9141

Contact with vendor has been made. Formal acknowledgement of the issue has not occurred. Detailed documentation of the vulnerability was provided. Documentation demonstrated successful exploitation using the standard installer package and instructions.

Thomson Reuters has changed the support person responsible but have not heard from the newly assigned personnel. Follow up has been requested several times, no change in status since initial report


Monday, December 1, 2014

CVE-2014-9141: Thomson Reuters Fixed Assets CS <= 13.1.4


# Exploit Title: Thomson Reuters Fixed Assets CS <=13.1.4 Local Privilege Escalation/Code Execution

# Date: 12/1/14
# Exploit Author: singularitysec@gmail.com
# Vendor Homepage: https://cs.thomsonreuters.com
# Version: Fixed Assets CS <=13.1.4 Local Privilege Escalation/Code Execution
# Tested on: Windows XP -> Windows 7, Windows 8
# CVE : 2014-9141

Product Affected:
Fixed Assets CS <=13.1.4 (Workstation Install)

Note: 2003/2008 Terminal Services/Published apps *may* be vulnerable, depending on system configuration.
 

This vulnerability has been reference checked against multiple installs. This configuration was identical across all systems and each version encountered.

Executables/Services:
C:\WinCSI\Tools\connectbgdl.exe

Attack Detail:

The Fixed Assets CS installer places a system startup item at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Which then executes the utility at C:\WinCSI\Tools\connectbgdl.exe.

The executables that are installed, by default, allow AUTHENTICATED USERS to modify, replace or alter the file. This would allow an attacker to inject their code or replace the executable and have it run in the context of an authenticated user.

An attacker can use this to escalate privileges to the highest privileged level of user to sign on to the system. This would require them to stop the vulnerable executable or reboot the system. The executable appears to only allow on instance to be executed at a time by default, the attacker would need to restart or kill the process. These are the default settings for this process.

This could compromise a machine on which it was installed, giving the process/attacker access to the machine in question or execute code as that user. An attacker can replace the file or append code to the executable, reboot the system or kill the process. It would then compromise the machine when a higher privileged user (ex. administrator) logged in.

This affects workstation builds. It may be possible on legacy servers/published application platforms but this was not tested.

Remediation:
 

Remove the modify/write permissions on the executables to allow onlyprivileged users to alter the files.
Apply vendor patch when distributed.

Vulnerability Discovered: 11/27/2014
Vendor Notified: 12/1/2014
                                                                                        

Website: www.information-paradox.net

This vulnerability was discovered by singularitysec@gmail.com. Please credit the author in all references to this exploit.


Wednesday, November 26, 2014

CVE-2014-9113 : CCH Wolters Kluwer PFX Engagement <= v7.1 Local Privilege Escalation

Product Affected:
CCH Wolters Kluwer PFX Engagement <= v7.1
This vulnerability has been reference checked this against multiple installs. This configuration was identical across all systems and each version encountered.
Executables/Services:

Pfx.Engagement.WcfServices
PFXEngDesktopService
PFXSYNPFTService
P2EWinService
Attack Detail:
The PFX services for engagement install with LOCAL SYSTEM service credentials in the directory C:\PFX Engagement\

 


The executables that are installed, by default, allow AUTHENTICATED USERS to modify, replace or alter the file. This would allow an attacker to inject their code or replace the executable and have it run in the context of the system.
This would allow complete compromise of a machine on which it was installed, giving the process LOCAL SYSTEM access to the machine in question. An attacker can replace the file or append code to the executable, reboot the system or restart the service and it would then  compromise the machine. As LOCAL SYSTEM is the highest privilege level on a machine, this allows total control and access to all parts of the system. This affects both the server and workstation builds.

Remediation:

Remove the modify/write permissions on the executables to allow only privileged users to alter the files.
Apply vendor patch when distributed.


Vulnerability Discovered: 11/26/2014
Vendor Notified: 11/26/2014
Vendor states this will be patched with next software update.

Website: www.information-paradox.net
This vulnerability was discovered by singularitysec@gmail.com. Please credit the author in all references to this exploit.
  


A security update has been released on 12/03/2014 to address the vulnerability in CCH Wolters Kluwer ProSystem fx Engagement. This update corrects the permissions on necessary application services. Please see the online release bulletin for instructions on how to apply the security update.

https://support.cch.com/updates/Engagement/pdf/Services%20Security%20Update%20-%20Release%20Bulletin%20-%20US.pdf