7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
36.4%
Multiple privilege escalation vulnerabilities exist in Dream Report 5 R20-2. A specially crafted executable can cause elevated capabilities. An attacker can provide a malicious file to trigger this vulnerability.
Dream Report 5 R20-2
9.3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-276 - Incorrect Default Permissions
Dream Report 5 R20-2 is a real-time reporting and charting solution. It collects and processes real-time information from variety of systems through a number of connectors which can be used for data import.
By default, Dream Report 5 R20-2 is installed in the C:\ODS
directory with permissions that allows anyone on the system to have βfull controlβ over certain files in the directory. This can lead to exploitable privilege escalations which can be triggered directly or indirectly by an attacker.
In the default configuration, the Syncfusion Dashboard Service
service binary can be replaced by attackers to escalate privileges to NT SYSTEM
:
cacls "C:\ODS\Dream Report\Dashboard\Dashboard Platform SDK\Utilities\Windows Service\Syncfusion Dashboard Windows Service.exe"
C:\ODS\Dream Report\Dashboard\Dashboard Platform SDK\Utilities\Windows Service\Syncfusion Dashboard Windows Service.exe BUILTIN\Administrators:(ID)F
Everyone:(ID)F
In the default configuration, the following registry keys, which reference binaries with weak permissions, can be abused by attackers to effectively βbackdoorβ the installation files and escalate privileges when a new user logs in and uses the application:
Registry Key (x86): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ods_rtm_launch
Registry Key (x64): HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ods_rtm_launch
Binary: C:\ODS\Dream Report\System\RTM.exe
Permission: cacls "C:\ODS\Dream Report\System\RTM.exe"
C:\ODS\Dream Report\System\Rtm.exe BUILTIN\Administrators:(ID)F
Everyone:(ID)F
Registry Key (x86): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ods_usc
Registry Key (x64): HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ods_usc
Binary: C:\ODS\Dream Report\System\usc.exe
Permission: cacls "C:\ODS\Dream Report\System\usc.exe"
C:\ODS\Dream Report\System\USC.exe BUILTIN\Administrators:(ID)F
Everyone:(ID)F
The following COM Class Identifiers (CLSID), installed by Dream Report 5 20-2, reference LocalServer32 and InprocServer32 with weak privileges which can lead to privilege escalation when used:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAB0B109-A3F4-44B8-AE0B-47C45DF8BCBC}\LocalServer32\LocalServer32
Binary: C:\ODS\Dream Report\System\IDSEng.exe
Permission: cacls "C:\ODS\Dream Report\System\IDSEng.exe"
C:\ODS\Dream Report\System\IDSEng.exe BUILTIN\Administrators:(ID)F
Everyone:(ID)F
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3D65B93-2D26-41F1-B655-F14144C879B6}\InprocServer32\InprocServer32
Binary: C:\ODS\Dream Report\System\IISToolbox.dll
Permission: cacls "C:\ODS\Dream Report\System\IISToolbox.dll"
C:\ODS\Dream Report\System\IISToolbox.dll BUILTIN\Administrators:(ID)F
Everyone:(ID)F
2020-09-08 - Initial contact
2020-09-08 - Vendor acknowledged and provided PGP for communication
2020-09-09 - Vendor advised release planned for December 2020
2020-11-10 - Talos follow up with vendor to confirm Dec release
2020-11-18 - 2nd follow up
2020-11-30 - 3rd follow up
2021-01-04 - Final follow up
2021-01-15 - Vendor advised release pushed to βQ2 or early Q3β
2021-04-08 - Public disclosure
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
36.4%