In association with heise online

30 August 2007, 11:24

Privilege escalation in Microworld's eScan

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Vendor Microworld provides security solutions based on the Kaspersky antivirus engine. During installation the Microworld eScan product configures access privileges for the program folder that grant everyone full control. Users with restricted accounts can thereby execute programs with system privileges.

eScan installation dialog
eScan sets its folder privileges

During installation, the antivirus software even refers in a progress dialog to eScan granting special directory privileges. In a security advisory, Team Intell explain that the update service traysser.exe can be replaced by arbitrary programs supplied by users with restricted access privileges. heise Security was able to confirm this by testing a small program that launches the Windows command prompt – after a reboot, a command prompt with administrator privileges opened.

According to the security advisory, the products affected by this vulnerability are eScan Virus Control, eScan Anti-Virus and eScan Internet Security Version 9.0.722.1. Apparently, however, older versions also rely on unsafe directory privileges. heise Security was able to confirm the problem by testing eScan Anti-Virus 8.0.671.1. Team Intell write that they informed the vendor about the vulnerability on 10th August, but an update to eliminate the problem has still not been provided.

Even renowned antivirus manufacturers tend to work with unsafe directory privileges. The antivirus solutions from Panda, for instance, also rely on directory access privileges for everyone. Although the vendor protects the files with other mechanisms to prevent them from being overwritten by users, it would be a more elegant solution to work with the correct directory privileges and employ an update service that has been granted the necessary access rights to carry out product updates.

See also:

(mba)

Print Version | Send by email | Permalink: http://h-online.com/-733552
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit