Talos Vulnerability Report

TALOS-2018-0537

Intuit Quicken Deluxe 2018 for Mac Password Protection Authentication Bypass Vulnerability

October 9, 2018
CVE Number

CVE-2018-3854

Summary

An exploitable information disclosure vulnerability exists in the password protection functionality of Quicken Deluxe 2018 for Mac version 5.2.2. A specially crafted sqlite3 request can cause the removal of the password protection, allowing an attacker to access and modify the data without knowing the password. An attacker needs to have access to the password-protected files to trigger this vulnerability.

Tested Versions

Intuit Quicken Quicken Deluxe 2018 5.2.2

Product URLs

Quicken for Mac

CVSSv3 Score

7.1 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-288: Authentication Bypass Using an Alternate Path or Channel

Details

Quicken supports a password protection feature for files. This may be enabled in Quicken from the menu by using “File,” followed by “Set File Password.”

The vulnerability is triggered by removing a row from the SQLite database.

The first of two bypass steps is to change to the directory that houses the database in the Quicken data file:

cd '~/Library/Application Support/Quicken/Documents/filename.quicken'

The second step is to call a sqlite3 command to remove the table entry:

echo delete from ZDOCUMENTPROPERTY where ZNAME is "progressMetadataRefCount" \; sqlite3 data

Mitigation

Use FileVault and encrypt backups.

Timeline

2018-03-06 - Initial Contact; vendor alerted security team
2018-03-09 - Follow up status on security team response
2018-03-20 - Plain text file sent
2018-04-06 - 30 day follow up
2018-06-06 - 90 day follow up
2018-06-27 - Notice of planned public release due to no response; Vendor responded with security team point of contact
2018-06-28 - Copy of plain text file sent
2018-08-30 - Beta release provided for testing
2018-09-06 - Vendor released to customers
2018-10-09 - Public Release

Credit

Discovered by Mark Eklund of Cisco ASIG.