Multiple eScan products insecure file permissions

2007.09.04
Credit: edi.strosar
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

========================================================================= Team Intell Security Advisory TISA2007-13-Public ------------------------------------------------------------------------- Multiple eScan products insecure file permissions ========================================================================= Release date: 30.08.2007 Severity: Moderately critical Impact: Privilege escalation Remote: No Status: Unpatched Software: eScan Virus Control 9.0.722.1 eScan Anti-Virus 9.0.722.1 eScan Internet Security 9.0.722.1 Tested on: Microsoft Windows XP SP2 Vendor: http://www.mwti.net/ Disclosed by: Edi Strosar (Team Intell) Vendor's description of affected application(s): ================================================ "eScan is the latest offering from MicroWorld Technologies Inc. It offers a combination of features to help you fight the threat of viruses, set security policies for parental control over content accessed by your child. It guards against Internet misuse, block spam and offensive mails and block popup ads." Download link: http://www.mwti.net/products/download_center.asp Analysis: ========= eScan product line is prone to security issue which can be exploited by LUA users to gain escalated privileges. The problem is caused due to the application setting insecure default permissions (grants Everyone:Full Control) on the eScan installation directory and all it's child objects. This can be exploited to remove, manipulate, and replace any of the application's files. Successful exploitation allows execution of arbitrary code with SYSTEM privileges. Proof of concept: ================= - logon as LUA user - rename traysser.exe to traysser.exe.BAK - copy program.exe to eScan installation directory - rename program.exe to traysser.exe - restart the computer - "rootshell" ;) NOTE: traysser.exe is eScan Server Updater Service that runs as NT AUTHORITYSYSTEM. Tested on multiple eScan products v9.0.722.1. Other products/versions may be affected. Source code for program.exe: ============================ #include <stdio.h> int main() { system("cmd.exe"); return 0; } Solution: ========= Set proper permissions on the eScan installation directory and all it's child objects. NOTE: this may impact the functionality. Timeline: ========= 10.08.2007 - initial vendor notification 20.08.2007 - additional vendor notification 30.08.2007 - public disclosure Contact: ======== Maldin d.o.o. Trzaska cesta 2 1000 Ljubljana - SI tel: +386 (0)590 70 170 fax: +386 (0)590 70 177 gsm: +386 (0)31 816 400 web: www.teamintell.com e-mail: info at teamintell.com Disclaimer: =========== The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk. =========================================================================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top