Privilege escalation in Microworld's eScan
Vendor Microworld provides security solutions based on the Kaspersky antivirus engine. During installation the Microworld eScan product configures access privileges for the program folder that grant everyone full control. Users with restricted accounts can thereby execute programs with system privileges.
During installation, the antivirus software even refers in a progress dialog to eScan granting special directory privileges. In a security advisory, Team Intell explain that the update service traysser.exe can be replaced by arbitrary programs supplied by users with restricted access privileges. heise Security was able to confirm this by testing a small program that launches the Windows command prompt – after a reboot, a command prompt with administrator privileges opened.
According to the security advisory, the products affected by this vulnerability are eScan Virus Control, eScan Anti-Virus and eScan Internet Security Version 9.0.722.1. Apparently, however, older versions also rely on unsafe directory privileges. heise Security was able to confirm the problem by testing eScan Anti-Virus 8.0.671.1. Team Intell write that they informed the vendor about the vulnerability on 10th August, but an update to eliminate the problem has still not been provided.
Even renowned antivirus manufacturers tend to work with unsafe directory privileges. The antivirus solutions from Panda, for instance, also rely on directory access privileges for everyone. Although the vendor protects the files with other mechanisms to prevent them from being overwritten by users, it would be a more elegant solution to work with the correct directory privileges and employ an update service that has been granted the necessary access rights to carry out product updates.
- Multiple eScan products insecure file permissions, security advisory from Team Intell
- Unsafe file permissions in Panda Antivirus, report on heise Security from 08.08.2007