Advisories

Keep informed of topics that impact X_TRADER® trading environments. Visit the TT app's Message Center to access TT platform advisories.

UPDATE: Privilege escalation vulnerability in X_TRADER installation

On Friday, April 26, CA010-19 was sent to summarize a privilege escalation vulnerability.  X_TRADER 7.17.87p603 will be released shortly, which includes an updated installer that revokes write and delete access on the necessary executables.  Customers are encouraged to upgrade to this version to address this vulnerability.

 

Note that the original examples provided in CA010-19 to manually remove write and delete access for all non-administrators should not be used.  Please reference the amended example at the end of this Advisory.

 

Additional details on the vulnerability and new X_TRADER package

 

X_TRADER installs several system services, such as Guardian, GuardianCtrl and TT Messaging (“TTM”).  These system services run as NT AUTHORITYSYSTEM, granting them local administration rights.  However, the underlying executable files are writable by unprivledged users.  Thus, someone with authenticated write access to the trading system’s file system can replace the executables with a malicious payload that will execute with local system privileges.

 

These services genuinely need administrative rights.  For example, TTM creates raw sockets for Pragmatic General Multicast (“PGM”), since Windows does not provide an OS-native PGM implementation.  To open raw sockets, programs must have administrative rights. Because these services require administrative rights to function properly, it is not possible to change their service definitions to use a non-privileged account.

 

To address this potential privilege escalation vulnerability, TT has modified the X_TRADER installation to apply Access Control Lists (“ACLs”) to the Guardian and TTM executables.  The ACLs prevent anyone from writing to, renaming, or deleting the executables. X_TRADER component installation now requires administrator privileges to perform on every install or update; the TT Update tool is now deprecated, because it runs in the context of the user, not an administrator.

 

The X_TRADER installers know about these ACL modifications, and work correctly when performing a re-install or update.  However, they are unable to register these ACL changes with the Windows uninstaller framework. Thus, even running as an administrator, uninstalling X_TRADER will not delete the affected executable files.  To assist in uninstalling, the installer now places an UninstallHelper.exe program in the root of the TT installation directory.  This program requires administrator privileges to run, and will revert the ACL changes made by the installer.  To uninstall X_TRADER, please run the helper program before attempting to uninstall X_TRADER itself.

 

TT understands that many of our customers re-package X_TRADER, or may have other frameworks in place to centralize ACL management.  If an administrator wishes to manage the ACLs on these system service executables themselves, they may use group policy to add a new registry key that will prevent the installer from applying any ACL changes.  Only administrators may modify this registry key; by default, normal users only have read access to the “Policies” section of the registry.

 

[HKEY_LOCAL_MACHINESOFTWAREWow6432NodePoliciesTrading Technologies]

“InstallWithNoPermissions”=”1”

 

For administrators that script their X_TRADER installations and wish to disable the installer’s ACL handling, the new TT installers also accept a “–noperms” command line option in addition to the group policy registry key.

 

To manually apply the ACL changes made by the installer, execute the following:

 

cd 

cd Guardian

REM Due to icacls’ handling of implicit “S” permission, deny write

REM options explicitly instead of using the generic “W”, as generic “W”

REM also implicitly removes “S”, which makes the file non-readable/executable.

REM Note: when ACLs are subsequently viewed, it will show as generic “W”

REM since the state of “S” is hidden.

icacls *.exe /deny *S-1-5-7:(wd,wa,wea,ad,de) /deny *S-1-1-0:(wd,wa,wea,ad,de)

icacls *.dll /deny *S-1-5-7:(wd,wa,wea,ad,de) /deny *S-1-1-0:(wd,wa,wea,ad,de)

REM Windows still allows users to delete files if they have the DC

REM permission on the containing folder.  So we remove DC. Additionally,

REM remove DE on the containing folder to prevent users from simply renaming

REM the files out of the way.

icacls . /deny *S-1-5-7:(dc,de) /deny *S-1-1-0:(dc,de)

REM Config subdirectory now inherits the -DC,-DE flag from its parent, which

REM breaks the product tables maintained by Guardian.  Explicitly add DC/DE

REM back to the Config subdirectory.

icacls Config /grant *S-1-1-0:(dc,de)

cd ../ttm

icacls *.exe /deny *S-1-5-7:(wd,wa,wea,ad,de) /deny *S-1-1-0:(wd,wa,wea,ad,de)

icacls *.dll /deny *S-1-5-7:(wd,wa,wea,ad,de) /deny *S-1-1-0:(wd,wa,wea,ad,de)

icacls . /deny *S-1-5-7:(dc,de) /deny *S-1-1-0:(dc,de)

 

If you no longer wish to receive Customer Advisories, please Unsubscribe.