Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Panda Platinum Internet Security 2006/2007 Multiple Vulnerabiliti

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Panda Platinum Internet Security 2006/2007 Multiple Vulnerabilities
Date: 10 Sep 2006 14:33:20 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Panda Platinum Internet Security 2006/2007 Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

"Panda  Platinum  Internet  Security 2006/2007 is Internet security suite 
(Antivirus, Personal Firewall, Antispam) from Panda Software".

There is a local privilage escalation and a filter bypass vulnerability in 
Panda Platinum Internet Security.

DETAILS

Vulnerable Systems:
 * Panda Platinum Internet Security 2006 10.02.01
 * Panda Platinum Internet Security 2007 11.00.00
 * Panda Antivirus was not tested

Introduction:
Panda  Platinum  Internet  Security 2006/2007 is Internet security suite
(Antivirus, Personal Firewall, Antispam) from Panda Software.

Description:
1.  Insecure  file  permissions  allow unprivileged local user to obtain
system-level access or access to account of another logged on user.
2.  Insecure  design  of  SPAM  filtering  control  engine allows remote
attacker  to  control  bayesian self leaning SPAM filtering process from
malicious Web page.

Details:
1.  During  installation  of  Panda Platinum Internet Security 2006/2007
permissions for installation folder
%ProgramFiles%\Panda Software\Panda Platinum 2006 Internet Security\
or %ProgramFiles%\Panda Software\Panda Platinum 2007 Internet Security\
by  default  are  set  to Everyone:Full Control without any warning. Few
services  (e.g.  WebProxy.exe  for  Platinum  2006  or  PAVSRV51.EXE for
Platinum  2007) are started from this folder. Services are started under
LocalSystem  account.  There  is  no  protection  of service files. It's
possible  for  unprivileged  user to replace service executable with the
file of his choice to get full access with LocalSystem privileges. Or to
get  privileges  or any user (including system administrator) who logons
to vulnerable host. This can be exploited as easy as:

a. Rename  WebProxy.exe  (for Platinum 2006 or  another service for 
Platinum 2007, because under 2007 WebProxy.exe  is not executed as a 
service) to WebProxy.old in Panda folder
b. Copy any application to WebProxy.exe
c. Reboot

Upon  reboot  trojaned  application  will  be  executed with LocalSystem 
account.

2.   To  manage  SPAM  filtering  for messages received with POP3, Panda 
starts  Web  server  on  the interface 127.0.0.1 with port 6083 and adds 
text like:

Text inserted by Platinum 2007:

This message has NOT been classified as spam. If it is unsolicited mail 
(spam), click on the following link to reclassify it: 
http://127.0.0.1:6083/Panda?ID=pav_8&SPAM=true

By  clicking  the  link  user  can  classify  message  as a spam or not.
ID=pav_XXX  parameters  contains  ID  of  the  message,  where  XXX  is
sequential  message  number.  On  reply, this message is not filtered or
erased.
First, it leaks information about correspondence flow user has.
Second, it's possible for malicious Web page to use something like
[IMG SRC="http://127.0.0.1:6083/Panda?ID=pav_8&SPAM=true";]
[IMG SRC="http://127.0.0.1:6083/Panda?ID=pav_9&SPAM=true";]
[IMG SRC="http://127.0.0.1:6083/Panda?ID=pav_10&SPAM=true";]
It  will  cause incorrect message classification as a SPAM and will lead
to  unpredictable  filter  behavior.  There  is no way to flush bayesian
filter state.

Vendor Status:
11.08.2006 Panda Software was contacted via support@pandasoftware.com,
secure@pandasoftware.com, security@pandasoftware.com, support@viruslab.ru
15.08.2006 support@viruslab.ru  (Panda Software Russia) was contacted in 
Russian
16.08.2006 Response from Panda Software Russia
16.08.2006 Additional details sent to Panda Software Russia
17.08.2006 Panda  Software  launches Panda Internet Security 2007 which
suffers from the same vulnerabilities

References:
1. Ecc 1:18


ADDITIONAL INFORMATION

The information has been provided by:  <mailto:3APA3A@security.nnov.ru> 
3APA3A.
For the original advisory please visit:  
<http://www.security.nnov.ru/advisories/pandais.asp> 
http://www.security.nnov.ru/advisories/pandais.asp.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Panda Platinum Internet Security 2006/2007 Multiple Vulnerabilities, SecuriTeam <=
Previous by Date:  [UNIX] BIND 9 Multiple DoS Vulnerabilities, SecuriTeam
Next by Date:  [UNIX] Ipswitch Collaboration Suite SMTP Server Stack Overflow, SecuriTeam
Previous by Thread:  [UNIX] BIND 9 Multiple DoS Vulnerabilities, SecuriTeam
Next by Thread:  [UNIX] Ipswitch Collaboration Suite SMTP Server Stack Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]