MicroWorld eScan Antivirus Command Injection Vulnerability in Autoscan USB Feature

A critical vulnerability allowing OS command injection has been identified in MicroWorld eScan Antivirus version 7.0.32 for Linux. The issue arises in the Autoscan USB component, specifically within the epsdaemon service, which executes system commands without proper input sanitization. This vulnerability can be exploited locally by users with low privileges who can access the eScan GUI.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected system with the privileges of the user running eScan Antivirus.

Reproduction

To reproduce this vulnerability, open the 'Device Control' option in the eScan Antivirus GUI. Set the 'Use Other Password' option with a crafted password that includes command injection payloads. The program will display a pop-up indicating an 'Invalid password', but the injected command will be executed in the background. Alternatively, plug in a USB device with a name that includes command injection payloads. The eScan service will automatically execute the injected commands as soon as the USB is connected.