|
|
ShineShadow Security Report 11112009-14
TITLE
Panda Security Software Local Privilege Escalation
BACKGROUND
Panda Security is a global leading provider of IT security solutions, with millions of clients in more than 200 countries and products available in 23 languages. Our mission is to develop and supply global security solutions to keep our clients' IT resources safe from the damage inflicted by viruses, intruders and other Internet threats at the lowest possible Total Cost of Ownership. Panda Security proposes a new security model, specially designed to firmly combat new types of cyber-crime. This results in technologies and products with much greater detection and efficiency rates than the market average, providing a higher level of security to our users.
Source: http://www.pandasecurity.com
VULNERABLE PRODUCTS
Panda Antivirus Pro 2010 (9.01.00)
Panda Internet Security 2010 (15.01.00)
Panda Total Protection 2010 (3.01.00)
Prior versions may also be affected.
DETAILS
Panda installs the own program files with insecure permissions (Everyone: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Panda services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, in Panda Antivirus Pro 2010 the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the Panda Antivirus program files by malicious executable file. For example, the replacing file could be - %Program Files%\Panda Security\Panda Antivirus Pro 2010\TPSrv.exe (Panda TPSrv service).
2. Restart the system.
After restart attackers malicious file will be executed with SYSTEM privileges. Self-defense of Panda Antivirus will prevent all operations with Panda program files. It can be bypassed using "Open" dialog in "Quarantine -> Add file" functionality.
For other vulnerable Panda products similar attack scenario could be used.
EXPLOITATION
An attacker must have local access and valid logon credentials to a system where vulnerable software is installed.
WORKAROUND
Panda Security has developed a hotfixes to resolve the vulnerability:
Panda Antivirus Pro 2010
http://www.pandasecurity.com/resources/sop/PAVPro10/hft90906s15_r1.exe
Panda Internet Security 2010
http://www.pandasecurity.com/resources/sop/PIS10/hfp150906s19_r1.exe
Panda Global Protection 2010
http://www.pandasecurity.com/resources/sop/PGP10/hfgp30910s1_r7.exe
More detail: http://www.pandasecurity.com/homeusers/support/card?id=80164&idIdioma=2
Insecure permissions of Panda program files have not been fixed, vendor solved the vulnerability by improving of Panda self-defense. Regarding insecure permissions vendor response the following:
=ABAs you correctly state this doesn=92t fix the underlying problem, which we are addressing in another way in parallel and which we will fix as well=BB.
DISCLOSURE TIMELINE
03/08/2009 Initial vendor notification. Secure contacts requested.
04/08/2009 Vendor response
06/08/2009 Vulnerability details sent. No reply.
11/08/2009 Vulnerability details sent. Confirmation requested.
13/08/2009 Vendor accepted information for analysis
31/08/2009 Update status query sent
01/09/2009 Vendor confirmed vulnerability and provided vulnerable products list
08/09/2009 Planned disclosure date was sent to vendor
30/09/2009 Vendor asked to move disclosure date for November
31/10/2009 Third party advisory regarding same vulnerability has been released: http://www.securityfocus.com/archive/1/507615/30/0/threaded
09/11/2009 Vendor released advisory and hotfixes:
http://www.pandasecurity.com/homeusers/support/card?id=80164&idIdioma=2
11/11/2009 Coordinated disclosure. Advisory released.
CREDITS
Maxim A. Kulakov (ShineShadow)
ss_contacts[at]hotmail.com