what you don't know can hurt you

Panda Security 2014 Privilege Escalation

Panda Security 2014 Privilege Escalation
Posted Aug 20, 2014
Authored by Kyriakos Economou

Panda 2014 products suffer from a heap overflow vulnerability that allows for privilege escalation.

tags | advisory, overflow
advisories | CVE-2014-5307
MD5 | 93162c683df784e9a518eecbe43310d6

Panda Security 2014 Privilege Escalation

Change Mirror Download
Vulnerability title: Privilege Escalation in Panda Security
CVE: CVE-2014-5307
Vendor: Panda Security
Product: Multiple
Affected version: Panda 2014 Products
Fixed version: Hotfix hft131306s24_r1
Reported by: Kyriakos Economou

Details:

Latest, and possibly earlier builds, of the PavTPK.sys kernel mode driver of Panda Security software suffers from a heap overflow bug that allows any user to elevate their privileges through an IOCTL request and execute code as SYSTEM by controlling the EIP via a corrupted kernel object.
Upon unsuccessful exploitation the system will crash with a BSoD.
This driver is loaded into kernel memory during boot time and stays resident without touching the disk later.
All Panda Security products using the faulty driver were foujnd to be vulnerable.

Technical Details:

By using IOCTL 0×222008 with a crafted input buffer, the following block of instructions is reached. This is the first part of the cause that leads to the heap overflow bug, because any process can easily manipulate information in its own Process Environment Block structure (PEB).
However, the root cause of the heap overflow will be examined later.

Read Information from PEB:

80536bf0 89448fe4 mov dword ptr [edi+ecx*4-1Ch],eax
80536bf4 8b448ee8 mov eax,dword ptr [esi+ecx*4-18h]
80536bf8 89448fe8 mov dword ptr [edi+ecx*4-18h],eax
80536bfc 8b448eec mov eax,dword ptr [esi+ecx*4-14h]
80536c00 89448fec mov dword ptr [edi+ecx*4-14h],eax
80536c04 8b448ef0 mov eax,dword ptr [esi+ecx*4-10h]
80536c08 89448ff0 mov dword ptr [edi+ecx*4-10h],eax
80536c0c 8b448ef4 mov eax,dword ptr [esi+ecx*4-0Ch]
80536c10 89448ff4 mov dword ptr [edi+ecx*4-0Ch],eax
80536c14 8b448ef8 mov eax,dword ptr [esi+ecx*4-8]
80536c18 89448ff8 mov dword ptr [edi+ecx*4-8],eax
80536c1c 8b448efc mov eax,dword ptr [esi+ecx*4-4];ds:0023:7ffdd010=00360000
80536c20 89448ffc mov dword ptr [edi+ecx*4-4],eax

The PRTL_USER_PROCESS_PARAMETERS pointer(in bold) inside the PEB structure can be manipulated so that it points to a location that contains data that an attacker fully controls.
In the example above, we have hijacked the pointer with another pointing to 0×00360000, so the driver will use that one later.

At our buffer+0×38 we can set the value size used to allocate memory through a call to ExAllocatePoolWithTag.

In this case at address 0×00360038 we can write a DWORD, for example 0×41412020, but only the low WORD is taken in consideration for memory allocation.
So we can copy 0×2020 bytes of data we control there. This data will overflow a heap buffer later used by the driver which is always of size 0×1004.
Further manipulation of that buffer is needed, but this information is not necessary in order to explain the vulnerability as shown below.

b70b8339 6800100000 push 1000h
b70b833e 6a00 push 0
b70b8340 56 push esi
b70b8341 e800370000 call PavTPK!GetThreads+0x3a28 <--- zero out dest buf (Total size 0x1004)
b70b8346 0fb745c0 movzx eax,word ptr [ebp-40h] <-- read our value 0x2020
b70b834a d1e8 shr eax,1 <-- divide by two to copy data per WORD size
b70b834c 50 push eax
b70b834d ff75c4 push dword ptr [ebp-3Ch]
b70b8350 56 push esi
b70b8351 ff1524d00bb7 call dword ptr [PavTPK!GetThreads+0x5006 (b70bd024)] ds:0023:b70bd024={nt!wcsncpy (80537f29)} <--- heap overflow since destination buffer is smaller than the data copied

Impact:

This vulnerability results in local privilege escalation.

Exploit:

The proof of concept exploit is available.

Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5307/


Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    2 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    15 Files
  • 20
    Oct 20th
    20 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    14 Files
  • 23
    Oct 23rd
    3 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    33 Files
  • 26
    Oct 26th
    27 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close