“Eikon is the financial analysis desktop and mobile solution that connects you t relevant, trusted content, Reuters news, markets, liquidity pools, and colleagues.”
As long as the vendor did not release a patch for this vulnerability, we recommend moving Eikon Thomson Reuters to a separate system outside the domain to which users can connect to. Furthermore, we recommend to closely monitor any activities related to Eikon Thomson Reuters.
Vulnerability Overview / Description
The current file permissions of the directory C:\Program Files (x86)\Thomson Reuters)\Eikon allow users of the group Authenticated Users to modify files in the folder. As these files are executed by the service that runs with SYSTEM privileges, it is possible to escalate privileges and create a new user with administrator privileges.
Proof Of Concept
The service’s executable file is writeable by members of the Authenticated Users group. A user can create a malicious file that for example creates a new user and adds him to the Administrators group and replace the service’s executable file with it.
As the service runs in the SYSTEM users context, the malicious file will be executed the next time the service is started. As the SYSTEM user has the highest privileges, the mentioned actions are successfully performed and a new user will be created and added to the administrators group.
Creating a new user represents only an example. Other critical actions can be performed instead.
Vulnerable / Tested Versions
The following version has been tested which was the latest version available at the time of discovery: