exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Panda Security Local Privilege Escalation 2010

Panda Security Local Privilege Escalation 2010
Posted Jan 21, 2010
Authored by Nikolas Sotiriu | Site sotiriu.de

Panda Security suffers from a local privilege escalation vulnerability. Proof of concept code included. This is an updated version of the original advisory.

tags | advisory, local, proof of concept
SHA-256 | 68c919cfbbcaab6c8202cec461ff70cb5276a6228828dd6772a6c974b0ae4c75

Panda Security Local Privilege Escalation 2010

Change Mirror Download
______________________________________________
Security Advisory NSOADV-2010-001 (Version 2)
______________________________________________
______________________________________________


Title: Panda Security Local Privilege Escalation
Severity: Medium
Advisory ID: NSOADV-2010-001
Found Date: 02.2008
Date Reported: 30.11.2009
Release Date: 09.01.2010
Update Date: 20.01.2010
Author: Nikolas Sotiriu (lofi)
Website: http://sotiriu.de
Mail: nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2010-001.txt
Vendor: Panda Security (http://www.pandasecurity.com/)
Affected Products: (Self tested)
-Panda Security for Business 4.04.10
-Panda Security for Business with Exchange
4.04.10
-Panda Security for Enterprise 4.04.10
-Panda Internet Security 2010 (15.01.00)
-Panda Global Protection 2010 (3.01.00)
-Panda Antivirus Pro 2010 (9.01.00)
-Panda Antivirus for Netbooks (9.01.00)

(Provided by Panda)
-Panda Global Protection 2009
-Panda Internet Security 2009
-Panda Antivirus Pro 2009
-Panda Internet Security 2008
-Panda Antivirus + Firewall 2008
-Panda Platinum 2007 Internet Security
-Panda Platinum 2006 Internet Security

Affected Component: Corporate Products:
-Panda Security for Desktops 4.05.10
-Panda Security for File Servers 8.04.10

Remote Exploitable: No
Local Exploitable: Yes
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy



Background:
===========

Panda Security for <Product> is the security solution for companies that
need to protect their networks, mainly workstations and file servers.
Panda Security for Business is centrally managed thanks to the
AdminSecure Console, which allows monitoring the entire network,
protecting your critical assets against all types of threats and
optimizing productivity.

(Product description from Panda Website)

This vulnerability is similar to the following vulnerabilities in Panda
products, which where discovered earlier:

Sep 07 2006 3APA3A: http://www.securityfocus.com/bid/19891
Aug 02 2007 tarkus: http://www.securityfocus.com/bid/25186
Oct 31 2009 Protek: http://www.securityfocus.com/archive/1/507615
Nov 02 2009 Maxim: http://www.securityfocus.com/bid/36897

The earlier reported vulnerabilities only affected the Home user
products. But the business products had the same bug.

More interesting is, that Panda failed since 2006 each year by
releasing the new version with the same old bug.



Description:
============

1. 32Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------

During installation of Panda Security for Desktops/File Servers the
permissions for installation folder

%ProgramFiles%\Panda Software\AVTC\

by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.

The 32bit Version of Panda Security for Desktops/File Servers
installs the TruePrevent package by default, which protects the files
in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only)
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PsImSvc.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PsCtrlS.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\TPSrv.exe


2. 64Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------

During installation of Panda Security for Desktops/File Servers the
permissions for installation folder

%ProgramFiles%\Panda Software\AVTC\

by default are set to Everyone:Full Control. Few services
(e.g. PavSrvx86.EXE) are started from this folder. Services are started
under LocalSystem account.

In the 64bit Version of Panda Security for Desktops/File Servers is no
TruePrevent package available, which protects the files in the
installation directory from manipulation.

There is no protection of service files. It's possible for unprivileged
user to replace service executable with the file of his choice to get
full access with LocalSystem privileges.

This can be exploited by:

a. Rename PavSrvX86.exe to PavSrvX86.old in Panda folder
b. Copy any application to PavSrvX86.exe
c. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PavSrvX86.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsImSvc.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PskSvc.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsCtrlS.exe


3. Panda Internet Security/Global Protection/Antivirus Pro 20XX
+-----------------------------------------------------------------------

During installation of the Panda Security 20XX Products the
permissions for installation folder

%ProgramFiles%\panda security\panda <product>\

by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.

This products installs the TruePrevent package by default, which
protects the files in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
%ProgramFiles%\panda security\panda <product>\firewall\PSHOST.EXE
%ProgramFiles%\Panda Security\Panda <product>\PavFnSvr.exe
%ProgramFiles%\Panda Security\Panda <product>\PsImSvc.exe
%ProgramFiles%\Panda Security\Panda <product>\pavsrv51.exe
%ProgramFiles%\Panda Security\Panda <product>\PskSvc.exe
%ProgramFiles%\Panda Security\Panda <product>\PsCtrls.exe
%ProgramFiles%\Panda Security\Panda <product>\TPSrv.exe


4. Panda Antivirus for Netbooks
+------------------------------

During installation of the Panda Antivirus for Netbooks the
permissions for installation folder

%ProgramFiles%\panda security\Panda Antivirus for Netbooks\

by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.

This product installs the TruePrevent package by default, which protects
the files in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

This product was not patched like the other 2010 products, so the
the following vulnerability already exists:

http://www.securityfocus.com/bid/36897

TruePrevent bypass: It can be bypassed using "Open" dialog in
"Quarantine" -> Add file" functionality.

Executable started as services:
+------------------------------
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PavFnSvr.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsImSvc.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\pavsrv51.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PskSvc.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsCtrls.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\TPSrv.exe



Proof of Concept :
==================

#include <windows.h>
#include <stdio.h>

INT main( VOID )
{
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];

GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" );

wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123
/add", szWinDir );

system( szCmdLine );

printf( "Adding user \"owner\" to the local Administrators group...\n" );

wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators
owner /add", szWinDir );

system( szCmdLine );

return 0;
}



Solution:
=========

Home User Products:
+------------------

Panda Advisory
http://www.pandasecurity.com/homeusers/support/card?id=80173&idIdioma=2

Panda Global Protection 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PGP10/hfgp30906s22_r4.exe

Panda Internet Security 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PIS10/hfp150906s25_r1.exe

Panda Antivirus Pro 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PAVPro10/hft90906s21_r1.exe


Business Products:
+-----------------

Panda Advisory
http://www.pandasecurity.com/enterprise/support/card?id=40061&idIdioma=2

32Bit Version of Panda Security for Desktops/File Servers Hotfix
http://www.pandasecurity.com/resources/sop/AS0404/CSS_x86_SecurityFix.exe

64Bit Version of Panda Security for Desktops/File Servers Hotfix
http://www.pandasecurity.com/resources/sop/AS0404/CSS_x64_SecurityFix.exe



Disclosure Timeline (YYYY/MM/DD):
=================================

2008.02.??: Vulnerability found
2008.02.??: Reported to Vendor (no response)
2009.11.28: Tested the current versions and update this advisory
2009.11.30: Asked vendor for a PGP Key
2009.11.30: Vendor sent PGP Key
2009.11.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.12.17) to Vendor
2009.11.30: Vendor acknowledges the reception of the advisory
2009.12.15: Ask for a status update, because the planned release date is
2009.12.17.
2009.12.15: Panda Security Response Team informs me that they are
working on a fix and will give me a hotfix publishing date
tomorrow.
2009.12.16: Panda Security Response Team informs me that they need a few
more days to prepare the Hotfix publishing.
2009.12.17: Changed release date to 2009.12.23.
2009.12.21: Asked for a list of affected products
2009.12.21: Got a list with affected products and a the wish to delay
the release to the 2009.12.24.
2009.12.21: Changed release date to 2009.12.24.
2009.12.23: Asked for a list of affected products for the corporate
suites which was not part of the previously provides list.
[No response]
2010.01.04: Ask for a status update, because there is no advisory
published and i didn't got a response to my last mail.
2010.01.05: Panda send me the Link to there advisory (Home User
Products)
2010.01.05: Asked if the corporate products are patched.
[No response]
2010.01.07: Informed Panda, that i will release the Advisory on
2010.01.08
[No response]
2010.01.09: Release of Advisory draft Version 1
2010.01.11: Panda Security Response Team informs me that they didn't
published a Hotfix for the Corporate Products.
2010.01.20: Panda published the Advisory and Hotfix for the Corporate
Products
2010.01.20: Release of Advisory draft Version 2








Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close