CVE-2018-18931

Name of the Vulnerable Software and Affected Versions Tightrope Media Carousel digital signage product version 7.0.4.104

Description An issue in the Tightrope Media Carousel digital signage product allows an attacker with system access to elevate privileges from a restricted account to full SYSTEM by replacing the Carousel.Service.exe file with a malicious executable. The Carousel.Service.exe file is located in the C:TRMSServices directory, which has insecure default permissions. This service is independent of the associated IIS web site and can be manipulated without affecting access to vulnerabilities in the web interface. An attacker can replace Carousel.Service.exe and then restart the server using the command "shutdown -r -t 0" from a web shell, causing the system to reboot and launch the malicious Carousel.Service.exe as SYSTEM on startup. If the malicious executable is configured to launch a reverse shell, the attacker will have a fully privileged remote command-line environment upon reboot.

Recommendations For version 7.0.4.104, consider restricting access to the C:TRMSServices directory to prevent replacement of the Carousel.Service.exe file until a patch is available. As a temporary workaround, monitor the system for any unauthorized restarts or changes to the Carousel.Service.exe file.