Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

NSOADV-2010-001: Panda Security Local Privilege Escalation
From: NSO Research <nso-research () sotiriu de>
Date: Sat, 09 Jan 2010 16:54:08 +0100

_________________________________________
Security Advisory NSOADV-2010-001
_________________________________________
_________________________________________


  Title:                  Panda Security Local Privilege Escalation
  Severity:               Medium
  Advisory ID:            NSOADV-2010-001
  Found Date:             02.2008
  Date Reported:          30.11.2009
  Release Date:           09.01.2010
  Author:                 Nikolas Sotiriu (lofi)
  Mail:                   nso-research at sotiriu.de
  URL:                    http://sotiriu.de/adv/NSOADV-2010-001.txt
  Vendor:                 Panda Security (http://www.pandasecurity.com/)
  Affected Products:      (Self tested)
                          -Panda Security for Business 4.04.10
                          -Panda Security for Business with Exchange
                           4.04.10
                          -Panda Security for Enterprise 4.04.10
                          -Panda Internet Security 2010 (15.01.00)
                          -Panda Global Protection 2010 (3.01.00)
                          -Panda Antivirus Pro 2010 (9.01.00)
                          -Panda Antivirus for Netbooks (9.01.00)

                          (Provided by Panda)
                          -Panda Global Protection 2009
                          -Panda Internet Security 2009
                          -Panda Antivirus Pro 2009
                          -Panda Internet Security 2008
                          -Panda Antivirus + Firewall 2008
                          -Panda Platinum 2007 Internet Security
                          -Panda Platinum 2006 Internet Security

  Affected Component:     Corporate Products:
                          -Panda Security for Desktops 4.05.10
                          -Panda Security for File Servers 8.04.10

  Remote Exploitable:     No
  Local Exploitable:      Yes
  Patch Status:           Vendor released a patch (See Solution)
  Discovered by:          Nikolas Sotiriu
  Disclosure Policy:      http://sotiriu.de/policy.html
  Thanks to:              Thierry Zoller: For the permission to use his
                                          Policy



Background:
===========

Panda Security for <Product> is the security solution for companies that
need to protect their networks, mainly workstations and file servers.
Panda Security for Business is centrally managed thanks to the
AdminSecure Console, which allows monitoring the entire network,
protecting your critical assets against all types of threats and
optimizing productivity.

(Product description from Panda Website)

This vulnerability is similar to the following vulnerabilities in Panda
products, which where discovered earlier:

Sep 07 2006 3APA3A: http://www.securityfocus.com/bid/19891
Aug 02 2007 tarkus: http://www.securityfocus.com/bid/25186
Oct 31 2009 Protek: http://www.securityfocus.com/archive/1/507615
Nov 02 2009 Maxim:  http://www.securityfocus.com/bid/36897

The earlier reported vulnerabilities only affected the Home user
products. But the business products had the same bug.

More interesting is, that Panda failed since 2006 each year by
releasing the new version with the same old bug.



Description:
============

1. 32Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------

During  installation  of  Panda Security for Desktops/File Servers the
permissions for installation folder

%ProgramFiles%\Panda Software\AVTC\

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem  account.

The 32bit Version of Panda Security  for Desktops/File Servers
installs the TruePrevent package by default, which protects the files
in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

    a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
       process
    b. Rename  PAVSRV51.exe to PAVSRV51.old in Panda folder
    c. Copy any application to PAVSRV51.exe
    d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only)
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PsImSvc.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PsCtrlS.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\TPSrv.exe


2. 64Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------

During  installation  of  Panda Security for Desktops/File Servers the
permissions for installation folder

%ProgramFiles%\Panda Software\AVTC\

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PavSrvx86.EXE) are started from this folder. Services are started
under LocalSystem  account.

In the 64bit Version of Panda Security  for Desktops/File Servers is no
TruePrevent package available, which protects the files in the
installation directory from manipulation.

There is no protection of service files. It's possible for unprivileged
user to replace service executable with the file of his choice to get
full access with LocalSystem privileges.

This can be exploited by:

    a. Rename  PavSrvX86.exe to PavSrvX86.old in Panda folder
    b. Copy any application to PavSrvX86.exe
    c. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PavSrvX86.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsImSvc.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PskSvc.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsCtrlS.exe


3. Panda Internet Security/Global Protection/Antivirus Pro 20XX
+-----------------------------------------------------------------------

During  installation  of the Panda Security 20XX Products the
permissions for installation folder

%ProgramFiles%\panda security\panda <product>\

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem  account.

This products installs the TruePrevent package by default, which
protects the files in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

    a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
       process
    b. Rename  PAVSRV51.exe to PAVSRV51.old in Panda folder
    c. Copy any application to PAVSRV51.exe
    d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
%ProgramFiles%\panda security\panda <product>\firewall\PSHOST.EXE
%ProgramFiles%\Panda Security\Panda <product>\PavFnSvr.exe
%ProgramFiles%\Panda Security\Panda <product>\PsImSvc.exe
%ProgramFiles%\Panda Security\Panda <product>\pavsrv51.exe
%ProgramFiles%\Panda Security\Panda <product>\PskSvc.exe
%ProgramFiles%\Panda Security\Panda <product>\PsCtrls.exe
%ProgramFiles%\Panda Security\Panda <product>\TPSrv.exe


4. Panda Antivirus for Netbooks
+------------------------------

During  installation  of the Panda Antivirus for Netbooks the
permissions for installation folder

%ProgramFiles%\panda security\Panda Antivirus for Netbooks\

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem  account.

This product installs the TruePrevent package by default, which protects
the files in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

    a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
       process
    b. Rename  PAVSRV51.exe to PAVSRV51.old in Panda folder
    c. Copy any application to PAVSRV51.exe
    d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

This product was not patched like the other 2010 products, so the
the following vulnerability already exists:

http://www.securityfocus.com/bid/36897

TruePrevent bypass: It can be bypassed using "Open" dialog in
"Quarantine" -> Add file" functionality.

Executable started as services:
+------------------------------
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PavFnSvr.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsImSvc.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\pavsrv51.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PskSvc.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsCtrls.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\TPSrv.exe



Proof of Concept :
==================

#include <windows.h>
#include <stdio.h>

INT main( VOID )
{
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];

GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" );

wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123
/add", szWinDir );

system( szCmdLine );

printf( "Adding user \"owner\" to the local Administrators group...\n" );

wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators
owner /add", szWinDir );

system( szCmdLine );

return 0;
}



Solution:
=========

Home User Products:
+------------------

Panda Advisory
http://www.pandasecurity.com/homeusers/support/card?id=80173&idIdioma=2

Panda Global Protection 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PGP10/hfgp30906s22_r4.exe

Panda Internet Security 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PIS10/hfp150906s25_r1.exe

Panda Antivirus Pro 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PAVPro10/hft90906s21_r1.exe


Business Products:
+-----------------

Not provided by Panda



Disclosure Timeline (YYYY/MM/DD):
=================================

2008.02.??: Vulnerability found
2008.02.??: Reported to Vendor (no response)
2009.11.28: Tested the current versions and update this advisory
2009.11.30: Asked vendor for a PGP Key
2009.11.30: Vendor sent PGP Key
2009.11.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
            date (2009.12.17) to Vendor
2009.11.30: Vendor acknowledges the reception of the advisory
2009.12.15: Ask for a status update, because the planned release date is
            2009.12.17.
2009.12.15: Panda Security Response Team informs me that they are
            working on a fix and will give me a hotfix publishing date
            tomorrow.
2009.12.16: Panda Security Response Team informs me that they need a few
            more days to prepare the Hotfix publishing.
2009.12.17: Changed release date to 2009.12.23.
2009.12.21: Asked for a list of affected products
2009.12.21: Got a list with affected products and a the wish to delay
            the release to the 2009.12.24.
2009.12.21: Changed release date to 2009.12.24.
2009.12.23: Asked for a list of affected products for the corporate
            suites which was not part of the previously provides list.
            [No response]
2010.01.04: Ask for a status update, because there is no advisory
            published and i didn't got a response to my last mail.
2010.01.05: Panda send me the Link to there advisory (Home User
            Products)
2010.01.05: Asked if the corporate products are patched.
            [No response]
2010.01.07: Informed Panda, that i will release the Advisory on
            2010.01.08
            [No response]
2010.01.09: Release of this Advisory










_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • NSOADV-2010-001: Panda Security Local Privilege Escalation NSO Research (Jan 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault