CVE-2018-18931

An issue was discovered in the Tightrope Media Carousel digital signage product 7.0.4.104. Due to insecure default permissions on the C:\TRMS\Services directory, an attacker who has gained access to the system can elevate their privileges from a restricted account to full SYSTEM by replacing the Carousel.Service.exe file with a custom malicious executable. This service is independent of the associated IIS web site, which means that this service can be manipulated by an attacker without losing access to vulnerabilities in the web interface (which would potentially be used in conjunction with this attack, to control the service). Once the attacker has replaced Carousel.Service.exe, the server can be restarted using the command "shutdown -r -t 0" from a web shell, causing the system to reboot and launching the malicious Carousel.Service.exe as SYSTEM on startup. If this malicious Carousel.Service.exe is configured to launch a reverse shell back to the attacker, then upon reboot the attacker will have a fully privileged remote command-line environment to manipulate the system further.

CVSS v3 8.8 HIGH
CVSS v2.0 9.0 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://www.drewgreen.net/vulnerabilities-in-tightrope-media-systems-carousel/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:trms:carousel_digital_signage:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-10-29 20:15

Updated : 2023-12-10 13:13

NVD link : CVE-2018-18931

Mitre link : CVE-2018-18931

CVE.ORG link : CVE-2018-18931

JSON object : View

Products Affected

trms

carousel_digital_signage

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2018-18931", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-10-29T20:15:10.867", "references": [{"url": "https://www.drewgreen.net/vulnerabilities-in-tightrope-media-systems-carousel/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Tightrope Media Carousel digital signage product 7.0.4.104. Due to insecure default permissions on the C:\\TRMS\\Services directory, an attacker who has gained access to the system can elevate their privileges from a restricted account to full SYSTEM by replacing the Carousel.Service.exe file with a custom malicious executable. This service is independent of the associated IIS web site, which means that this service can be manipulated by an attacker without losing access to vulnerabilities in the web interface (which would potentially be used in conjunction with this attack, to control the service). Once the attacker has replaced Carousel.Service.exe, the server can be restarted using the command \"shutdown -r -t 0\" from a web shell, causing the system to reboot and launching the malicious Carousel.Service.exe as SYSTEM on startup. If this malicious Carousel.Service.exe is configured to launch a reverse shell back to the attacker, then upon reboot the attacker will have a fully privileged remote command-line environment to manipulate the system further."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en el producto de se\u00f1alizaci\u00f3n digital Tightrope Media Carousel versi\u00f3n 7.0.4.104. Debido a permisos predeterminados no seguros en el directorio C:\\TRMS\\Services, un atacante que ha obtenido acceso al sistema puede elevar sus privilegios de una cuenta restringida a una completamente SYSTEM, reemplazando el archivo Carousel.Service.exe con un ejecutable malicioso personalizado. Este servicio es independiente del sitio web IIS asociado, lo que significa que este servicio puede ser manipulado por un atacante sin perder el acceso a las vulnerabilidades en la interfaz web (lo que potencialmente ser\u00e1 utilizado junto con este ataque para controlar el servicio). Una vez que el atacante ha reemplazado el archivo Carousel.Service.exe, el servidor puede ser reiniciado usando el comando \"shutdown -r -t 0\" desde un shell web, causando que el sistema se reinicie y ejecute el archivo Carousel.Service.exe malicioso como SYSTEM sobre el inicio. Si este archivo Carousel.Service.exe malicioso es configurado para iniciar un shell inverso al atacante, luego de reiniciarse el atacante tendr\u00e1 un entorno de l\u00ednea de comandos remoto totalmente privilegiado para manipular a\u00fan m\u00e1s el sistema."}], "lastModified": "2019-11-05T17:52:26.953", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:trms:carousel_digital_signage:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F395E7E9-1DEB-4F95-B773-BFC89E9B7341", "versionEndIncluding": "7.0.4.104"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}