SEC Consult Vulnerability Lab Security Advisory < 20200826-0 >  
title: Extensive file permissions on service executable  
product: Eikon Thomson Reuters  
vulnerable version: 4.0.42144  
fixed version: -  
CVE number: CVE-2019-10679  
impact: High  
found: 2019-03-18  
by: Khalil Bijjou (Office CH)  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult  
Europe | Asia | North America  
Vendor description:  
"Eikon is the financial analysis desktop and mobile solution that connects you t  
relevant, trusted content, Reuters news, markets, liquidity pools, and colleagues."  
Business recommendation:  
As long as the vendor did not release a patch for this vulnerability, we recommend  
moving Eikon Thomson Reuters to a separate system outside the domain to which users  
can connect to. Furthermore, we recommend to closely monitor any activities related  
to Eikon Thomson Reuters.  
Vulnerability overview/description:  
The current file permissions of the directory  
"C:\Program Files (x86)\Thomson Reuters)\Eikon" allow users of the group  
Authenticated Users to modify files in the folder. As these files are executed  
by the service that runs with SYSTEM privileges, it is possible to escalate  
privileges and create a new user with administrator privileges.  
Proof of concept:  
The service's executable file is writeable by members of the Authenticated  
Users group. A user can create a malicious file that for example creates a  
new user and adds him to the Administrators group and replace the service's  
executable file with it.  
As the service runs in the SYSTEM users context, the malicious file will be  
executed the next time the service is started. As the SYSTEM user has the  
highest privileges, the mentioned actions are successfully performed and a new  
user will be created and added to the administrators group.  
Creating a new user represents only an example. Other critical actions can be  
performed instead.  
Vulnerable / tested versions:  
The following version has been tested which was the latest version available at  
the time of discovery:  
* 4.0.42144  
Vendor contact timeline:  
2019-04-09: Contacting vendor through the contact form in the homepage.  
Service request number is 07521820.  
2019-04-09: Received reply that they will supply a security contact.  
2019-04-16: Sent reminder as no security contact has been supplied yet.  
2019-04-23: Sent reminder #2.  
2019-04-23: Vendor replied: "Thank you for your reminder, the release  
date has been duly noted. As previously mentioned, I have  
transferred your query to our security specialists already,  
they will reach out to you if they deem it necessary."  
2020-08-26: Release of security advisory.  
As the vendor has not responded to any of our further requests, we are  
currently unaware, whether a fix has been published or not. In any case,  
we recommend to run the application on a separate server to which users  
have to connect (e.g. via RDP).  
We recommend enabling write permissions to administrative users only  
and to adhere to updating best practices.  
Advisory URL:  
SEC Consult Vulnerability Lab  
SEC Consult  
Europe | Asia | North America  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
Interested to work with the experts of SEC Consult?  
Send us your application  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices  
Mail: research at sec-consult dot com  
EOF Khalil Bijjou / @2020