多个MicroWorld eScan 产品 本地特权提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113548 漏洞类型 权限许可和访问控制
发布时间 2007-08-30 更新时间 2008-09-04
CVE编号 CVE-2007-4649 CNNVD-ID CNNVD-200708-524
漏洞平台 Windows CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/30546
https://www.securityfocus.com/bid/25493
https://cxsecurity.com/issue/WLB-2007090005
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-524
|漏洞详情
MicroWorldeScanVirusControl9.0.722.1,Anti-Virus9.0.722.1,和InternetSecurity9.0.722.1使用安装目录树的的弱许可(Everyone:FullControl),这允许本地用户通过重置应用程序文件,如traysser.exe,获得特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/25493/info

Multiple MicroWorld eScan products are vulnerable to a local privilege-escalation vulnerability because of insecure default file permissions.

Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful attacks will completely compromise affected computers.

The following are vulnerable:

eScan Internet Security 9.0.722.1
eScan Virus Control 9.0.722.1
eScan AntiVirus 9.0.722.1

UPDATE (September 4, 2008): The following additional products have been reported as vulnerable:

eScan Corporate 9.0.x
eScan Professional 9.0.x
eScan Workstation Server 9.0.x
eScan Web and Mail Filter 9.0.x
MailScan for Mail-Server 5.6a
MailScan for SMTP Server 5.6a
X-Spam for SMTP Servers 5.6a

Other versions and software packages may also be affected. 

- logon as LUA user
- rename traysser.exe to traysser.exe.BAK
- copy program.exe to eScan installation directory
- rename program.exe to traysser.exe
- restart the computer
- "rootshell" ;)

NOTE: traysser.exe is eScan Server Updater Service that
runs as NT AUTHORITY\SYSTEM.
|受影响的产品
MicroWorld Technologies X-Spam for SMTP Servers 5.6a MicroWorld Technologies MailScan for SMTP Servers 5.6 MicroWorld Technologies MailScan for Mail Servers 5.6a MicroWorld Technologies MailScan 5.6.a es
|参考资料

来源:XF
名称:escan-directory-insecure-permissions(36367)
链接:http://xforce.iss.net/xforce/xfdb/36367
来源:BID
名称:25493
链接:http://www.securityfocus.com/bid/25493
来源:SECUNIA
名称:26581
链接:http://secunia.com/advisories/26581
来源:FULLDISC
名称:20070829MultipleeScanproductsinsecurefilepermissions
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065509.html
来源:SREASON
名称:3085
链接:http://securityreason.com/securityalert/3085