lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <48C04E76.2000600@gmail.com>
Date: Thu, 04 Sep 2008 23:09:10 +0200
From: Edi Strosar <edi.strosar@...il.com>
To: bugtraq@...urityfocus.com
Subject: Multiple MicroWorld products insecure directory permissions

=========================================================================

	Multiple MicroWorld products insecure directory permissions

=========================================================================

  Release date:    05.09.2008
  Severity:        Medium risk
  Impact:          Privilege escalation
  Remote:          No
  Status:	  Unpatched
  Category:        Low-hanging fruit
  Software:        Multiple MicroWorld products
  Tested on:       Microsoft Windows XP SP3
  Developer:       http://www.mwti.net/
                   http://www.microworld.de/
  Disclosed by:    Edi Strosar
  Kudos to:        shinnai [www.shinnai.net]


Vendor's own words:
===================
"We add confidence to computing."

Download link:
http://www.mwti.net/products/download_center.asp


Description:
============
MicroWorld's eScan, MailScan and X-Spam product line is prone to 
security issue where LUA users can elevate their privileges.


1.) Affected applications:
     ----------------------
     eScan Anti-Virus 9.0.x
     eScan Corporate 9.0.x
     eScan Professional 9.0.x
     eScan Virus Control 9.0.x
     eScan Workstation Server 9.0.x
     eScan Internet Security Suite 9.0.x

     Corresponding binaries:
     -----------------------
     %programfiles%\escan\traysser.exe
     %programfiles%\escan\consctl.exe
     %programfiles%\escan\vista\avpmapp.exe

2.) Affected application:
     ---------------------
     eScan Web and Mail Filter 9.0.x

     Corresponding binaries:
     -----------------------
     %programfiles%\ecan-web and mail filter\traysser.exe
     %programfiles%\ecan-web and mail filter\consctl.exe

3.) Affected applications:
     ----------------------
     MailScan for Mail-Server 5.6a
     MailScan for SMTP Server 5.6a

     Corresponding binaries:
     -----------------------
     %programfiles%\mailscan\mailserv.exe
     %programfiles%\mailscan\trayico.exe
     %programfiles%\mailscan\smtp.exe
     %programfiles%\mailscan\ipcsrvr.exe
     %programfiles%\mailscan\maildisp.exe
     %programfiles%\mailscan\spooler.exe
     %programfiles%\mailscan\vista\scanningprocess.exe

4.) Affected application:
     ---------------------
     X-Spam for SMTP Servers 5.6a

     Corresponding binaries:
     -----------------------
     %programfiles%\x-spam\mailserv.exe
     %programfiles%\x-spam\trayico.exe
     %programfiles%\x-spam\smtp.exe
     %programfiles%\x-spam\maildisp.exe
     %programfiles%\x-spam\spooler.exe


All mentioned binaries are running under NT AUTHORITY\SYSTEM account. 
Replacing any of those programs with appropriate (i.e. cmd.exe) will 
spawn process with Local System privileges on next reboot. Because 
setup/installation procedure sets insecure default permissions 
(Everyone:Full Control) on eScan/MailScan/X-Spam installation directory 
any LUA user can perform this task. NOTE: some binaries won't spawn 
visible windows.

Yes, you guess it. Other MicroWorld products may be vulnerable.


Proof of concept:
=================
Do you really need any?


Mitigation:
===========
Set proper permissions to eScan/MailScan/X-Spam installation directory 
and all it's child objects. WARNING: this may impact the functionality 
of the application!


Timeline:
=========
18.08.2008 - Initial vendor notification
	   - Vendor did not respond
25.08.2008 - Additional vendor notification
25.08.2008 - Vendor states that it is aware of the issue and working on it
25.08.2008 - Coordinated disclosure suggested
	   - Vendor did not respond
30.08.2008 - Coordinated disclosure re-suggested
	   _ Vendor did not respond
05.09.2008 - Public disclosure


Notice:
=======
This advisory is just 2nd part of the same story. The opening round is @ 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4649.


Contact:
========
edi [dot] strosar [at] gmail [dot] com


Disclaimer:
===========
The content of this report is purely informational and meant for 
educational purposes only. Author shall in no event be liable for any 
damage whatsoever, direct or implied, arising from use or spread of this 
information. Any use of information in this advisory is entirely at 
user's own risk.

=========================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ