Panda Platinum Internet Security privilege escalation / bayesian filter control security vulnerabilities

2006.09.12
Credit: 3APA3A (3APA3A SECURITY NNOV RU)
Risk: High
Local: Yes
Remote: Yes
CVE: CVE-2006-4659 | CVE-2006-4658 | CVE-2006-4657
CWE: N/A

Noise: We have more and more application to secure our networks. Does it means network becomes more and more secure? No, there is a limit. Because _any_ application has vulnerabilities. For in much security is much grief: and he that increaseth code increaseth bugs [1]. Title: Panda Platinum Internet Security 2006/2007 privilege escalation and bayesian filter control security vulnerabilities Author: 3APA3A <3APA3A (at) security.nnov (dot) ru [email concealed]> http://www.security.nnov.ru/ Vendor: Panda Software Product: Panda Platinum Internet Security 2006 10.02.01 Panda Platinum Internet Security 2007 11.00.00 Panda Antivirus was not tested Category: 1. Local, privilege escalation (insecure file permissions) 2. Remote, against client (bayesian filter control) Rating: High (privilege escalation) Low (bayesian filter control) Advisory: http://www.security.nnov.ru/advisories/pandais.asp Intro: Panda Platinum Internet Security 2006/2007 is Internet security suite (Antivirus, Personal Firewall, Antispam) from Panda Software. Vulnerability: 1. Insecure file permissions allow unprivileged local user to obtain system-level access or access to account of another logged on user. 2. Insecure design of SPAM filtering control engine allows remote attacker to control bayesian self leaning SPAM filtering process from malicious Web page. Details: 1. During installation of Panda Platinum Internet Security 2006/2007 permissions for installation folder %ProgramFiles%Panda SoftwarePanda Platinum 2006 Internet Securityor %ProgramFiles%Panda SoftwarePanda Platinum 2007 Internet Securityby default are set to Everyone:Full Control without any warning. Few services (e.g. WebProxy.exe for Platinum 2006 or PAVSRV51.EXE for Platinum 2007) are started from this folder. Services are started under LocalSystem account. There is no protection of service files. It's possible for unprivileged user to replace service executable with the file of his choice to get full access with LocalSystem privileges. Or to get privileges or any user (including system administrator) who logons to vulnerable host. This can be exploited as easy as: a. Rename WebProxy.exe (for Platinum 2006 or another service for Platinum 2007, because under 2007 WebProxy.exe is not executed as a service) to WebProxy.old in Panda folder b. Copy any application to WebProxy.exe c. Reboot Upon reboot trojaned application will be executed with LocalSystem account. 2. To manage SPAM filtering for messages received with POP3, Panda starts Web server on the interface 127.0.0.1 with port 6083 and adds text like ------------------------------------------------------------------------ --------------------------- Text inserted by Platinum 2007: This message has NOT been classified as spam. If it is unsolicited mail (spam), click on the following link to reclassify it: http://127.0.0.1:6083/Panda?ID=pav_8&SPAM=true ------------------------------------------------------------------------ --------------------------- By clicking the link user can classify message as a spam or not. ID=pav_XXX parameters contains ID of the message, where XXX is sequential message number. On reply, this message is not filtered or erased. First, it leaks information about correspondence flow user has. Second, it's possible for malicious Web page to use something like [IMG SRC="http://127.0.0.1:6083/Panda?ID=pav_8&SPAM=true"] [IMG SRC="http://127.0.0.1:6083/Panda?ID=pav_9&SPAM=true"] [IMG SRC="http://127.0.0.1:6083/Panda?ID=pav_10&SPAM=true"] It will cause incorrect message classification as a SPAM and will lead to unpredictable filter behavior. There is no way to flush bayesian filter state. Vendor: 11.08.2006 Panda Software was contacted via support (at) pandasoftware (dot) com [email concealed], secure (at) pandasoftware (dot) com [email concealed], security (at) pandasoftware (dot) com [email concealed], support (at) viruslab (dot) ru [email concealed] 15.08.2006 support (at) viruslab (dot) ru [email concealed] (Panda Software Russia) was contacted in Russian 16.08.2006 Response from Panda Software Russia 16.08.2006 Additional details sent to Panda Software Russia 17.08.2006 Panda Software launches Panda Internet Security 2007 which suffers from the same vulnerabilities References: 1. Ecc 1:18 -- http://www.security.nnov.ru /_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-------------o66o--+ / |/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top