Microworld eScan (Multiple Products) - Local Privilege Escalation

EDB-ID:

30546


Platform:

Windows

Published:

2007-08-30

source: http://www.securityfocus.com/bid/25493/info

Multiple MicroWorld eScan products are vulnerable to a local privilege-escalation vulnerability because of insecure default file permissions.

Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful attacks will completely compromise affected computers.

The following are vulnerable:

eScan Internet Security 9.0.722.1
eScan Virus Control 9.0.722.1
eScan AntiVirus 9.0.722.1

UPDATE (September 4, 2008): The following additional products have been reported as vulnerable:

eScan Corporate 9.0.x
eScan Professional 9.0.x
eScan Workstation Server 9.0.x
eScan Web and Mail Filter 9.0.x
MailScan for Mail-Server 5.6a
MailScan for SMTP Server 5.6a
X-Spam for SMTP Servers 5.6a

Other versions and software packages may also be affected. 

- logon as LUA user
- rename traysser.exe to traysser.exe.BAK
- copy program.exe to eScan installation directory
- rename program.exe to traysser.exe
- restart the computer
- "rootshell" ;)

NOTE: traysser.exe is eScan Server Updater Service that
runs as NT AUTHORITY\SYSTEM.