exploit the possibilities

microworld-insecure.txt

microworld-insecure.txt
Posted Sep 5, 2008
Authored by Edi Strosar

Multiple MicroWorld products suffer from insecure directory permissions vulnerabilities that allow for privilege escalation.

tags | advisory, vulnerability
MD5 | ce8ac3604c3af57abf8400703a98d0e6

microworld-insecure.txt

Change Mirror Download
=========================================================================

Multiple MicroWorld products insecure directory permissions

=========================================================================

Release date: 05.09.2008
Severity: Medium risk
Impact: Privilege escalation
Remote: No
Status: Unpatched
Category: Low-hanging fruit
Software: Multiple MicroWorld products
Tested on: Microsoft Windows XP SP3
Developer: http://www.mwti.net/
http://www.microworld.de/
Disclosed by: Edi Strosar
Kudos to: shinnai [www.shinnai.net]


Vendor's own words:
===================
"We add confidence to computing."

Download link:
http://www.mwti.net/products/download_center.asp


Description:
============
MicroWorld's eScan, MailScan and X-Spam product line is prone to
security issue where LUA users can elevate their privileges.


1.) Affected applications:
----------------------
eScan Anti-Virus 9.0.x
eScan Corporate 9.0.x
eScan Professional 9.0.x
eScan Virus Control 9.0.x
eScan Workstation Server 9.0.x
eScan Internet Security Suite 9.0.x

Corresponding binaries:
-----------------------
%programfiles%\escan\traysser.exe
%programfiles%\escan\consctl.exe
%programfiles%\escan\vista\avpmapp.exe

2.) Affected application:
---------------------
eScan Web and Mail Filter 9.0.x

Corresponding binaries:
-----------------------
%programfiles%\ecan-web and mail filter\traysser.exe
%programfiles%\ecan-web and mail filter\consctl.exe

3.) Affected applications:
----------------------
MailScan for Mail-Server 5.6a
MailScan for SMTP Server 5.6a

Corresponding binaries:
-----------------------
%programfiles%\mailscan\mailserv.exe
%programfiles%\mailscan\trayico.exe
%programfiles%\mailscan\smtp.exe
%programfiles%\mailscan\ipcsrvr.exe
%programfiles%\mailscan\maildisp.exe
%programfiles%\mailscan\spooler.exe
%programfiles%\mailscan\vista\scanningprocess.exe

4.) Affected application:
---------------------
X-Spam for SMTP Servers 5.6a

Corresponding binaries:
-----------------------
%programfiles%\x-spam\mailserv.exe
%programfiles%\x-spam\trayico.exe
%programfiles%\x-spam\smtp.exe
%programfiles%\x-spam\maildisp.exe
%programfiles%\x-spam\spooler.exe


All mentioned binaries are running under NT AUTHORITY\SYSTEM account.
Replacing any of those programs with appropriate (i.e. cmd.exe) will
spawn process with Local System privileges on next reboot. Because
setup/installation procedure sets insecure default permissions
(Everyone:Full Control) on eScan/MailScan/X-Spam installation directory
any LUA user can perform this task. NOTE: some binaries won't spawn
visible windows.

Yes, you guess it. Other MicroWorld products may be vulnerable.


Proof of concept:
=================
Do you really need any?


Mitigation:
===========
Set proper permissions to eScan/MailScan/X-Spam installation directory
and all it's child objects. WARNING: this may impact the functionality
of the application!


Timeline:
=========
18.08.2008 - Initial vendor notification
- Vendor did not respond
25.08.2008 - Additional vendor notification
25.08.2008 - Vendor states that it is aware of the issue and working on it
25.08.2008 - Coordinated disclosure suggested
- Vendor did not respond
30.08.2008 - Coordinated disclosure re-suggested
_ Vendor did not respond
05.09.2008 - Public disclosure


Notice:
=======
This advisory is just 2nd part of the same story. The opening round is @
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4649.


Contact:
========
edi [dot] strosar [at] gmail [dot] com


Disclaimer:
===========
The content of this report is purely informational and meant for
educational purposes only. Author shall in no event be liable for any
damage whatsoever, direct or implied, arising from use or spread of this
information. Any use of information in this advisory is entirely at
user's own risk.

=========================================================================
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    15 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close