Trend Micro IWSS 3.1 privilege escalation

Date Disclosed:
10/25/2011

Date Patched:
Patch Not Yet Available

Vendor:
Trend Micro
Affected Software:
Trend Micro InterScan Web Security Suite for Linux and Solaris 3.1 and prior
Description:

The Trend Micro InterScan Web Security Suite (IWSS) will run scripts titled either "PatchExe.sh" or "RollbackExe.sh" out of the current directory with root privileges regardless of the privileges with which the  IWSS was initially launched with.  Successful exploitation would give an attacker root level access to the target machine.
Severity:
High
Code Execution:
Yes
Impact:
Local Elevation of Privilege to root privileges
This local vulnerability allows an attacker with file write privileges to run arbitrary scripts under the context of system root.
Mitigation:
No mitigation has been provided.
Protection:

Links:

• Original Advisory

Status:
10.25.2011 - Public Information Released