NOTE: This vulnerability was discovered in early April of 2018. I immediately contacted Intuit support and their security team to responsibly disclose the vulnerability. I offered suggestions and help in finding a solution to protect the public at no cost. As of 12/25/2018 the software remains vulnerable and I am disclosing my findings in hopes for better security for all tax software.
While wrapping up a penetration test earlier this year at a CPA firm, I discovered unusual amounts of SMBv2 traffic traversing the network. I usually find some type of data exposure while capturing packets, but this was different. Most of the time it’s self-service password reset tools, scripts, or other IT tools spewing credentials in unencrypted cleartext on a flat network. This time the data exposure was more than I’d expected. I saw a lot of SMBv2 traffic with paths such as \\[server_name]\lacerte\17tax\idata\[customer_last_name]. I thought I’d found another low to medium risk item for my report. I could tell my client that their tax software, Intuit Lacerte, was exposing their customer’s last names. After the capture I analyzed the results and decided to follow one of the SMB TCP streams to see what data was being accessed by the software. Maybe I’d find bad permissions or more data leaking from the tax software.
To my surprise, when the CPA authenticated to the client-side software, it made a request to read the customer list from the server. The server responded over SMB dumping the entire customer database.
What I saw on the screen was over 1,000 customer records containing the following for each person: Client ID, First Name & Initial, Last Name, Title, Social Security Number, Occupation, Date of Birth, Dependencies, Spouse’s First Name & Initial, Spouse’s Last Name, Spouse’s Title, Spouse’s Social Security Number, Spouse’s Occupation, Spouse’s Date of Birth, Home Address, Home Phone, Work Phone, Work Extension, Daytime Phone, Mobile Phone, Fax Number, Email Address, Spouse’s Home Phone, Spouse’s Work Phone, Spouse’s Extension, Spouse’s Daytime Phone, Spouse’s Mobile, Spouse’s Fax Number, Email Address, and Spouse’s Email Address. Driver’s License Number, Spouse’s Driver’s License Number, and more.
There isn’t much more a criminal could ask for. Everything needed to commit identity theft or fraudulently file taxes on 1000 people’s behalf is presented on a silver platter to anyone on the local network or a compromised workstation.
In my penetration test and lab setup, I tested the software in a client/server configuration, which is the common setup for CPA firms with more than one employee.
After further testing, I discovered that the tax software exposes every customer in the database immediately after the CPA launches/authenticates (not default) the Lacerte client on their workstation. The client software submits a SMBv2 Read Request for \\[server_name]\[share]\idata\DATA1I17.dbf. The server happily responds with a aSMBv2 Read Response containing the contents of the .dbf file.
Below is a sample of captured data when launching the Lacerte client on a workstation:
The following scenarios could be leveraged by a bad actor to obtain the exposed data traversing the network:
- Be on the same collision domain as the client/server (e.g. same Wireless network)
- Be on the same broadcast domain (e.g. switched network) and perform ARP poisoning
- Number of other man-in-the-middle scenarios
I continued to test the Lacerte software while running a packet capture tool on the collision domain to find out how often or what other events would trigger data exposure. In addition to the initial client application launch, I was able to capture other data leaks when almost any field within a customer’s record was modified.
While, single field modifications didn’t trigger the entire database to be re transmitted, changing values such as the dollar amount for Wages earned generated large SMB transfers. Analyzing the SMB traffic, I can see the Client sends the Server the entire customer record containing Client ID, Full Name, SSN, Phone Number, etc. as mentioned above. The Server then responds to the Client with the same copy of data containing Client ID, Full Name, SSN, Phone Number, etc.. The Server then sends a tabulated copy of the customer’s financial record with information such as Wages, Social Security Wages, Medicare, Tips, Depend Benefits, Tax Withholding, Social Security Withholding, etc. Essentially, if a bad actor was able to capture these packets, he or she would have a copy of the customer’s tax return and be able to identify targets based on income level.
Below is an example of modifying the Wages field for the test customer from a blank value to 9999991 and the corresponding capture in Wireshark to illustrate the data was intercepted in transit.
Initially, upon reporting this vulnerability to Intuit, they denied the validity of it being a vulnerability, blaming the underlying unencrypted cleartext protocol (SMBv2) as the vulnerability. I responded saying that’s like building a Bank website using HTTP instead of HTTPs and blaming HTTP when customer’s logins are stolen.
Further investigation of the tax software demonstrated that the Intuit Lacerte databases are not only traversing the network in unencrypted cleartext, they are also stored on the server in unencrypted cleartext.
The Intuit Lacerte software does not require a password upon setup, however there is an option to password protect access to the tax software. However, access controls to the database can be easily bypassed since the sensitive data in Lacerte is being stored in unencrypted cleartext as strings.
In the screenshot below, I extracted strings from the data1i17.dbf file to see what was readable without using a username/password. To my surprise, I found all customer records containing Full Name, SSN, Driver’s License Number, Address, etc. as seen below:
One of the foundational security concepts for security professionals is the CIA triad. I must ensure Confidentiality, Integrity, and Availability of data and systems. Confidentiality means ensuring only those who are authorized to access data can access it. That includes at rest, in transit, and in process. Intuit Lacerte failed to provide confidentiality of customer’s sensitive personally identifiable information and tax records at rest and in transit. I have not yet tested what data is being leaked in process, however we have my assumptions.
I have responsibly reported the vulnerability to the national vulnerability database:
CVE-2018-11338
Intuit Lacerte 2017 for Windows in a client/server configuration transfers the entire customer list in cleartext over SMB, which allows attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors. The customer list contains each customer’s full name, social security number (SSN), home address, job title, tax year being filed, phone number, Email address, spouse’s phone number/Email address, and other sensitive information.
After the client software authenticates to the server database, the server sends the customer list to the client over SMB in cleartext. Following the TCP stream displays the entire customer list.
There is no need for further exploitation as all sensitive data is exposed. This vulnerability was validated on Intuit Lacerte 2017, however older versions of Lacerte may be vulnerable.