Menu

Search for hundreds of thousands of exploits

"Thomson Reuters Fixed Assets CS 13.1.4 - Local Privilege Escalation"

Author

Exploit author

"Information Paradox"

Platform

Exploit platform

windows

Release date

Exploit published date

2014-12-02

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# Exploit Title: Thomson Reuters Fixed Assets CS <=13.1.4 Local Privilege
Escalation/Code Execution



# Date: 12/1/14

# Exploit Author: singularitysec@gmail.com

# Vendor Homepage: https://cs.thomsonreuters.com

# Version: Fixed Assets CS <=13.1.4 Local Privilege Escalation/Code
Execution

# Tested on: Windows XP -> Windows 7, Windows 8

# CVE : 2014-9141



Product Affected:


Fixed Assets CS <=13.1.4 (Workstation Install)


Note: 2003/2008 Terminal Services/Published apps **may** be vulnerable,
depending on system configuration.


This vulnerability has been reference checked against multiple

installs. This configuration was identical across all systems and each

version encountered.


Executables/Services:


C:\WinCSI\Tools\connectbgdl.exe


Attack Detail:


The Fixed Assets CS installer places a system startup item at
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup


Which then executes the utility at C:\WinCSI\Tools\connectbgdl.exe.










The executables that are installed, by default, allow AUTHENTICATED USERS


to modify, replace or alter the file.





This would allow an attacker to inject their code or replace the executable
and have it run in the context


of an authenticated user.



An attacker can use this to escalate privileges to the highest privileged
level of user to sign on to the system. This would require them to stop the
vulnerable executable


or reboot the system. The executable appears to only allow on instance to
be executed at a time by default, the attacker would need to restart or
kill the process. These are the default settings for this process.






This could compromise a machine on which it was


installed, giving the process/attacker access to the machine in


question or execute code as that user.



An attacker can replace the file or append code to the


executable, reboot the system or kill the process and it would then


compromise the machine when a higher privileged user (administrator) logged
in.



This affects workstation builds. It may be possible on legacy
servers/published application platforms but this was not tested.




Remediation:



Remove the modify/write permissions on the executables to allow only


privileged users to alter the files.


Apply vendor patch when distributed.




Vulnerability Discovered: 11/27/2014


Vendor Notified: 12/1/2014






Website: www.information-paradox.net


This vulnerability was discovered by singularitysec@gmail.com. Please


credit the author in all references to this exploit.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2017-12-20 "Conarc iChannel - Improper Access Restrictions" webapps multiple "Information Paradox"
2017-12-19 "BrightSign Digital Signage - Multiple Vulnerablities" webapps hardware "Information Paradox"
2016-04-25 "CompuSource Systems Real Time Home Banking - Local Privilege Escalation" local windows "Information Paradox"
2014-12-02 "Thomson Reuters Fixed Assets CS 13.1.4 - Local Privilege Escalation" local windows "Information Paradox"
2014-11-28 "CCH Wolters Kluwer PFX Engagement 7.1 - Local Privilege Escalation" local windows "Information Paradox" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected