TDM Digital Signage PC Player 4.1 Insecure File Permissions
Title: TDM Digital Signage PC Player 4.1 Insecure File Permissions
Advisory ID: ZSL-2020-5604
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 26.10.2020
[04.10.2020] Vendor contacted.
[05.10.2020] Vendor responds asking more details.
[05.10.2020] Sent details to the vendor.
[11.10.2020] Asked vendor for status update.
[25.10.2020] No response from the vendor.
[26.10.2020] Public security advisory released.
[2] https://www.exploit-db.com/exploits/48953
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/190627
[04.11.2020] - Added reference [1], [2] and [3]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2020-5604
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 26.10.2020
Summary
With TDM you can do a lot more than just show Digital Signage. With our Enterprise-Grade software you open the door to Interactive Signage, Analytics, Proof of Play and a lot more.Description
TDM Digital Signage Windows Player suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.Vendor
TDM [Trending Digital Marketing] - https://www.tdmsignage.comAffected Version
4.1.0.4Tested On
Microsoft Windows 10 HomeVendor Status
[23.09.2020] Vulnerability discovered.[04.10.2020] Vendor contacted.
[05.10.2020] Vendor responds asking more details.
[05.10.2020] Sent details to the vendor.
[11.10.2020] Asked vendor for status update.
[25.10.2020] No response from the vendor.
[26.10.2020] Public security advisory released.
PoC
tdsignage_perm.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://packetstormsecurity.com/files/159723/[2] https://www.exploit-db.com/exploits/48953
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/190627
Changelog
[26.10.2020] - Initial release[04.11.2020] - Added reference [1], [2] and [3]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk