Panda Global Security 17.0.1 Unquoted Service Path

2018-03-08T00:00:00
ID PACKETSTORM:146707
Type packetstorm
Reporter Felipe Xavier Oliveira
Modified 2018-03-08T00:00:00

Description

                                        
                                            `=====[ Tempest Security Intelligence - ADV-18/2018 ]===  
  
Panda Global Security 17.0.1 - Unquoted service path  
-------------------------------------------------------  
Author:  
- Filipe Xavier Oliveira: < filipe.xavier () tempest.com.br  
  
=====[ Table of Contents  
]=====================================================  
  
* Overview  
* Detailed description  
* Timeline of disclosure  
* Thanks & Acknowledgements  
* References  
  
=====[ Overview  
]==============================================================  
  
* System affected : Panda Global Security [1]  
* Software Version : 17.0.1. Other versions or models may also be affected.  
* Impact : Allow an authorized but non-privileged local user to execute  
arbitrary code with elevated privileges on the system. If an attacker  
could copy a malicious file and place it on, for example, into the root  
directory. This would cause windows to run the malicious executable in  
the user context of the service account at the next service start.  
  
=====[ Detailed description  
]==================================================  
  
Unquoted Windows search path vulnerability in the "panda_url_filtering"  
service in Panda Global Protection 17.0.1 allows local users to gain  
privileges via a malicious artefact.  
------------------------------------------  
C:\windows\system32>sc qc panda_url_filtering  
SERVICE_NAME: panda_url_filtering  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files\Panda Security URL Filtering\Panda  
_URL_Filteringb.exe --  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : panda_url_filtering Service  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
=====[ Timeline of disclosure  
]===============================================  
  
26/01/2018 - Vendor was informed of the vulnerability.  
01/26/2018 - CVE assigned [2]  
02/05/2018 - Vendor did not respond.  
03/06/2018 - Advisory publication date.  
  
=====[ Thanks & Acknowledgements  
]============================================  
  
- Tempest Security Intelligence / Tempest's Pentest Team [3]  
  
  
=====[ References  
]===========================================================  
  
[1] - https://www.pandasecurity.com  
[2] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6321  
[3] - http://www.tempest.com.br/  
  
--   
Filipe Oliveira  
Tempest Security Intelligence  
  
  
  
`