ShineShadow Security Report 11112009-14 TITLE Panda Security Software Local Privilege Escalation BACKGROUND Panda Security is a global leading provider of IT security solutions, with millions of clients in more than 200 countries and products available in 23 languages. Our mission is to develop and supply global security solutions to keep our clients' IT resources safe from the damage inflicted by viruses, intruders and other Internet threats at the lowest possible Total Cost of Ownership. Panda Security proposes a new security model, specially designed to firmly combat new types of cyber-crime. This results in technologies and products with much greater detection and efficiency rates than the market average, providing a higher level of security to our users. Source: http://www.pandasecurity.com VULNERABLE PRODUCTS Panda Antivirus Pro 2010 (9.01.00) Panda Internet Security 2010 (15.01.00) Panda Total Protection 2010 (3.01.00) Prior versions may also be affected. DETAILS Panda installs the own program files with insecure permissions (Everyone: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Panda services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability. For example, in Panda Antivirus Pro 2010 the following attack scenario could be used: 1. An attacker (unprivileged user) replaces one of the Panda Antivirus program files by malicious executable file. For example, the replacing file could be - %Program Files%\Panda Security\Panda Antivirus Pro 2010\TPSrv.exe (Panda TPSrv service). 2. Restart the system. After restart attackers malicious file will be executed with SYSTEM privileges. Self-defense of Panda Antivirus will prevent all operations with Panda program files. It can be bypassed using "Open" dialog in "Quarantine -> Add file" functionality. For other vulnerable Panda products similar attack scenario could be used. EXPLOITATION An attacker must have local access and valid logon credentials to a system where vulnerable software is installed. WORKAROUND Panda Security has developed a hotfixes to resolve the vulnerability: Panda Antivirus Pro 2010 http://www.pandasecurity.com/resources/sop/PAVPro10/hft90906s15_r1.exe Panda Internet Security 2010 http://www.pandasecurity.com/resources/sop/PIS10/hfp150906s19_r1.exe Panda Global Protection 2010 http://www.pandasecurity.com/resources/sop/PGP10/hfgp30910s1_r7.exe More detail: http://www.pandasecurity.com/homeusers/support/card?id=80164&idIdioma=2 Insecure permissions of Panda program files have not been fixed, vendor solved the vulnerability by improving of Panda self-defense. Regarding insecure permissions vendor response the following: «As you correctly state this doesn?t fix the underlying problem, which we are addressing in another way in parallel and which we will fix as well». DISCLOSURE TIMELINE 03/08/2009 Initial vendor notification. Secure contacts requested. 04/08/2009 Vendor response 06/08/2009 Vulnerability details sent. No reply. 11/08/2009 Vulnerability details sent. Confirmation requested. 13/08/2009 Vendor accepted information for analysis 31/08/2009 Update status query sent 01/09/2009 Vendor confirmed vulnerability and provided vulnerable products list 08/09/2009 Planned disclosure date was sent to vendor 30/09/2009 Vendor asked to move disclosure date for November 31/10/2009 Third party advisory regarding same vulnerability has been released: http://www.securityfocus.com/archive/1/507615/30/0/threaded 09/11/2009 Vendor released advisory and hotfixes: http://www.pandasecurity.com/homeusers/support/card?id=80164&idIdioma=2 11/11/2009 Coordinated disclosure. Advisory released. CREDITS Maxim A. Kulakov (ShineShadow) ss_contacts[at]hotmail.com i