UltraTax CS Data Exposure Vulnerability CVE-2018-14608 & CVE-2018-14607

NOTE: This vulnerability was discovered in late July of 2018. I immediately contacted Thompson Reuter support, their sales team, and Tweeted to them to responsibly disclose the vulnerability. I offered suggestions and help in finding a solution to protect the public at no cost.

CVE-2018-14608

CVE-2018-14607

After recent discoveries of the Intuit Lacerte data exposure vulnerability and my talk being accepted to the Breaking Ground track at BSidesLV 2018, I decided to test other popular tax prep software.

My lab setup includes a client and server. I installed the Thompson Reuter UltraTax CS software on the server, which auto-shared the directory. The share included Administrator and SYSTEM.

I navigated to the client system and mapped, allowing the client software to be installed. After modifying the location of the customer database to point to the location on the server, I opened a packet capturing tool and re-launched the client application.

Unlike the massive client database dump Intuit Lacerte transferred over unencrypted cleartext, UltraTax CS prompted for a client to be selected before the data started to leak.

Similar to the way I saw data being leaked by Intuit Lacerte, once a customer is selected, all their sensitive information is transferred over the network in cleartext. I can see the following unencrypted data was captured: Client ID, Full Name, Spouse’s Full Name, Social Security Number, Spouse’s Social Security Number, Occupation, Spouse’s Occupation, Daytime Phone, Home Phone, Tax Preparer, Federal and State Taxes to File, Bank Name and Bank Account Number.

I assume the CPAs are maintaining record of customer’s bank information for e-file purposes, however I can only imagine the criminal performing a man-in-the-middle attack would appreciate that he or she also got the tax paper’s bank account number.

Below is a screenshot of the data being leaked by Thompson Reuter UltraTax CS upon opening a customer in the software.

There isn’t much more a criminal could ask for. Everything needed to commit identity theft or fraudulently file taxes on 1000 people’s behalf is presented on a silver platter to anyone on the local network or a compromised workstation.

The following scenarios could be leveraged by a bad actor to obtain the exposed data traversing the network:

  1. Be on the same collision domain as the client/server (e.g. same Wireless network)
  2. Be on the same broadcast domain (e.g. switched network) and perform ARP poisoning
  3. Number of other man-in-the-middle scenarios

Further investigation of the tax software demonstrated that the UltraTax databases are not only traversing the network in unencrypted cleartext, they are also stored on the server in unencrypted cleartext.

The UltraTax CS software does not require a password upon setup, however there is an option to password protect access to the tax software. However, access controls to the database can be easily bypassed since the sensitive data in UltraTax is being stored in unencrypted cleartext as strings.

In the screenshot below, I extracted strings from the \\[server_name]\WinCSI\UT17DATA\[customer_name\U0001TXP.XX17 (Note: database names could be different in other environments) file to see what was readable without using a username/password. To my surprise, I found all customer records containing Full Name, SSN, Driver’s License Number, Address, etc. as seen below:

One of the foundational security concepts for security professionals is the CIA triad. I must ensure Confidentiality, Integrity, and Availability of data and systems. Confidentiality means ensuring only those who are authorized to access data can access it. That includes at rest, in transit, and in process. UltraTax CS failed to provide confidentiality of customer’s sensitive personally identifiable information  and tax records at rest and in transit. I have not yet tested what data is being leaked in process, however I have my assumptions.

There is no need for further exploitation as all sensitive data is exposed. This vulnerability was validated on UltraTax CS 2017, however older versions of UltraTax may be vulnerable.

Summary of Findings:

Thompson Reuters UltraTax CS for Windows in a client/server configuration transfers the customer records and bank account numbers in unencrypted cleartext over SMBv2, which allows attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors. The customer record transferred in cleartext contains: Client ID, Full Name, Spouse’s Full Name, Social Security Number, Spouse’s Social Security Number, Occupation, Spouse’s Occupation, Daytime Phone, Home Phone, Tax Preparer, Federal and State Taxes to File, Bank Name, Bank Account Number and possibly other sensitive information.

The UltraTax stores customer data in unique directories (%install_path%\WinCSI\UT17DATA\[client_ID]\[file_name].XX17) that can be bypassed without authentication by examining the strings of the .XX17 file. The strings stored in the .XX17 file contain each customer’s: Full Name, Spouse’s Name, Social Security Number, Date of Birth, Occupation, Home Address, Daytime Phone Number, Home Phone Number, Spouse’s Address, Spouse’s Daytime Phone Number, Spouse’s Social Security Number, Spouse’s Home Phone Number, Spouse’s Occupation, Spouse’s Date of Birth, and Spouse’s Filing Status.

There is no need for further exploitation as all sensitive data is exposed without need for authentication. This vulnerability was validated on UltraTax CS 2017, however older versions of may be vulnerable.

Join the Conversation

188 Comments

  1. Pingback: get tadalafil
  2. Pingback: cheap essay buy
  3. Pingback: essay help college
  4. Pingback: cholesterol
  5. Pingback: cialis 20 mg cheap
  6. Pingback: tadalafil usa
  7. Pingback: Malegra DXT plus
  8. Pingback: cialis lilly
  9. Pingback: viagra 25 mg price
  10. Pingback: bactrim walmart
  11. Pingback: rybelsus results
  12. Pingback: zoloft 50
  13. Pingback: porno izle
  14. Pingback: porn
  15. Pingback: child porn
  16. Pingback: porn
  17. Pingback: bactrim for uti
  18. Pingback: porno izle
  19. Pingback: augmentin coverage
  20. Pingback: bayer aspirin
  21. Pingback: allopurinol moa
  22. Pingback: aripiprazole class
  23. Pingback: buspar 5mg
  24. Pingback: porn
  25. Pingback: tamsulosin awp
  26. Pingback: actos hunger
  27. Pingback: grandpashabet
  28. Pingback: child porn
  29. Pingback: child porn
  30. Pingback: child porn
  31. Pingback: sildenafil pills
  32. Pingback: sex historie
  33. Pingback: viagra 75 mg price
  34. Pingback: ivermectin cream 1
  35. Pingback: animal porn
  36. Pingback: ananın amı
  37. Pingback: child porn
  38. Pingback: child porn
  39. Pingback: trimox fort
  40. Pingback: ciprofloxacin hcl
  41. Pingback: porn
  42. Pingback: Cocuk pornosu
  43. Pingback: child porn
  44. Pingback: child porn
  45. Pingback: porn
  46. Pingback: child porn
  47. Pingback: fuck
  48. Pingback: anal porno
  49. Pingback: child porn
  50. Pingback: sex
  51. Pingback: spam
  52. Pingback: porn
  53. Pingback: porn
  54. Pingback: child porn
  55. Pingback: child porn
  56. Pingback: iporn
  57. Pingback: child porn
  58. Pingback: porn
  59. Pingback: porn
  60. Pingback: porn
  61. Pingback: meritking
  62. Pingback: meritking
  63. Pingback: meritking
  64. Pingback: meritking
  65. Pingback: spam
  66. Pingback: child porn
  67. Pingback: porn
  68. Pingback: Konya SEO Uzmanı
  69. Pingback: porn
  70. Pingback: spam
  71. Pingback: child porn
  72. Pingback: child porn
  73. Pingback: child porn
  74. Pingback: child porn
  75. Pingback: porn
  76. Pingback: ankara psikolog
  77. Pingback: porn
  78. Pingback: porn
  79. Pingback: silivri avukat
  80. Pingback: porn
  81. Pingback: porn
  82. Pingback: child porn
Leave a comment