MicroWorld eScan Products Local Privilege Escalation Vulnerability

vendor:

eScan Products

by:

SecurityFocus

7.2

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: eScan Products

Affected Version From: 9.0.722.1

Affected Version To: 9.0.x

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2008

MicroWorld eScan Products Local Privilege Escalation Vulnerability

Multiple MicroWorld eScan products are vulnerable to a local privilege-escalation vulnerability because of insecure default file permissions. Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful attacks will completely compromise affected computers. The following are vulnerable: eScan Internet Security 9.0.722.1, eScan Virus Control 9.0.722.1, eScan AntiVirus 9.0.722.1, eScan Corporate 9.0.x, eScan Professional 9.0.x, eScan Workstation Server 9.0.x, eScan Web and Mail Filter 9.0.x, MailScan for Mail-Server 5.6a, MailScan for SMTP Server 5.6a, X-Spam for SMTP Servers 5.6a. Other versions and software packages may also be affected. Attackers can exploit this issue by logging in as a LUA user, renaming traysser.exe to traysser.exe.BAK, copying program.exe to the eScan installation directory, renaming program.exe to traysser.exe, and restarting the computer.

Mitigation:

Users should ensure that all default file permissions are properly set and that all unnecessary services are disabled.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/25493/info

Multiple MicroWorld eScan products are vulnerable to a local privilege-escalation vulnerability because of insecure default file permissions.

Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful attacks will completely compromise affected computers.

The following are vulnerable:

eScan Internet Security 9.0.722.1
eScan Virus Control 9.0.722.1
eScan AntiVirus 9.0.722.1

UPDATE (September 4, 2008): The following additional products have been reported as vulnerable:

eScan Corporate 9.0.x
eScan Professional 9.0.x
eScan Workstation Server 9.0.x
eScan Web and Mail Filter 9.0.x
MailScan for Mail-Server 5.6a
MailScan for SMTP Server 5.6a
X-Spam for SMTP Servers 5.6a

Other versions and software packages may also be affected. 

- logon as LUA user
- rename traysser.exe to traysser.exe.BAK
- copy program.exe to eScan installation directory
- rename program.exe to traysser.exe
- restart the computer
- "rootshell" ;)

NOTE: traysser.exe is eScan Server Updater Service that
runs as NT AUTHORITY\SYSTEM.