========================================================================= Multiple MicroWorld products insecure directory permissions ========================================================================= Release date: 05.09.2008 Severity: Medium risk Impact: Privilege escalation Remote: No Status: Unpatched Category: Low-hanging fruit Software: Multiple MicroWorld products Tested on: Microsoft Windows XP SP3 Developer: http://www.mwti.net/ http://www.microworld.de/ Disclosed by: Edi Strosar Kudos to: shinnai [www.shinnai.net] Vendor's own words: =================== "We add confidence to computing." Download link: http://www.mwti.net/products/download_center.asp Description: ============ MicroWorld's eScan, MailScan and X-Spam product line is prone to security issue where LUA users can elevate their privileges. 1.) Affected applications: ---------------------- eScan Anti-Virus 9.0.x eScan Corporate 9.0.x eScan Professional 9.0.x eScan Virus Control 9.0.x eScan Workstation Server 9.0.x eScan Internet Security Suite 9.0.x Corresponding binaries: ----------------------- %programfiles%\escan\traysser.exe %programfiles%\escan\consctl.exe %programfiles%\escan\vista\avpmapp.exe 2.) Affected application: --------------------- eScan Web and Mail Filter 9.0.x Corresponding binaries: ----------------------- %programfiles%\ecan-web and mail filter\traysser.exe %programfiles%\ecan-web and mail filter\consctl.exe 3.) Affected applications: ---------------------- MailScan for Mail-Server 5.6a MailScan for SMTP Server 5.6a Corresponding binaries: ----------------------- %programfiles%\mailscan\mailserv.exe %programfiles%\mailscan\trayico.exe %programfiles%\mailscan\smtp.exe %programfiles%\mailscan\ipcsrvr.exe %programfiles%\mailscan\maildisp.exe %programfiles%\mailscan\spooler.exe %programfiles%\mailscan\vista\scanningprocess.exe 4.) Affected application: --------------------- X-Spam for SMTP Servers 5.6a Corresponding binaries: ----------------------- %programfiles%\x-spam\mailserv.exe %programfiles%\x-spam\trayico.exe %programfiles%\x-spam\smtp.exe %programfiles%\x-spam\maildisp.exe %programfiles%\x-spam\spooler.exe All mentioned binaries are running under NT AUTHORITY\SYSTEM account. Replacing any of those programs with appropriate (i.e. cmd.exe) will spawn process with Local System privileges on next reboot. Because setup/installation procedure sets insecure default permissions (Everyone:Full Control) on eScan/MailScan/X-Spam installation directory any LUA user can perform this task. NOTE: some binaries won't spawn visible windows. Yes, you guess it. Other MicroWorld products may be vulnerable. Proof of concept: ================= Do you really need any? Mitigation: =========== Set proper permissions to eScan/MailScan/X-Spam installation directory and all it's child objects. WARNING: this may impact the functionality of the application! Timeline: ========= 18.08.2008 - Initial vendor notification - Vendor did not respond 25.08.2008 - Additional vendor notification 25.08.2008 - Vendor states that it is aware of the issue and working on it 25.08.2008 - Coordinated disclosure suggested - Vendor did not respond 30.08.2008 - Coordinated disclosure re-suggested _ Vendor did not respond 05.09.2008 - Public disclosure Notice: ======= This advisory is just 2nd part of the same story. The opening round is @ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4649. Contact: ======== edi [dot] strosar [at] gmail [dot] com Disclaimer: =========== The content of this report is purely informational and meant for educational purposes only. Author shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk. =========================================================================