ShineShadow Security Report 11112009-14

TITLE

Panda Security Software Local Privilege Escalation

BACKGROUND

Panda Security is a global leading provider of IT security solutions, with millions of clients in more than 200 countries and products available in 23 languages. Our mission is to develop and supply global security solutions to keep our clients' IT resources safe from the damage inflicted by viruses, intruders and other Internet threats at the lowest possible Total Cost of Ownership. Panda Security proposes a new security model, specially designed to firmly combat new types of cyber-crime. This results in technologies and products with much greater detection and efficiency rates than the market average, providing a higher level of security to our users.

Source: http://www.pandasecurity.com

VULNERABLE PRODUCTS

Panda Antivirus Pro 2010 (9.01.00)
Panda Internet Security 2010 (15.01.00)
Panda Total Protection 2010 (3.01.00)

Prior versions may also be affected.

DETAILS

Panda installs the own program files with insecure permissions (Everyone: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Panda services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, in Panda Antivirus Pro 2010 the following attack scenario could be used:

1. An attacker (unprivileged user) replaces one of the Panda Antivirus program files by malicious executable file. For example, the replacing file could be - %Program Files%\Panda Security\Panda Antivirus Pro 2010\TPSrv.exe (Panda TPSrv service).

2. Restart the system.

After restart attackers malicious file will be executed with SYSTEM privileges. Self-defense of Panda Antivirus will prevent all operations with Panda program files. It can be bypassed using "Open" dialog in  "Quarantine -> Add file" functionality.

For other vulnerable Panda products similar attack scenario could be used.

EXPLOITATION

An attacker must have local access and valid logon credentials to a system where vulnerable software is installed.

WORKAROUND

Panda Security has developed a hotfixes to resolve the vulnerability:

Panda Antivirus Pro 2010
http://www.pandasecurity.com/resources/sop/PAVPro10/hft90906s15_r1.exe
Panda Internet Security 2010
http://www.pandasecurity.com/resources/sop/PIS10/hfp150906s19_r1.exe
Panda Global Protection 2010
http://www.pandasecurity.com/resources/sop/PGP10/hfgp30910s1_r7.exe

More detail:  http://www.pandasecurity.com/homeusers/support/card?id=80164&idIdioma=2

Insecure permissions of Panda program files have not been fixed, vendor solved the vulnerability  by improving of Panda self-defense. Regarding insecure permissions vendor response the following:
«As you correctly state this doesn’t fix the underlying problem, which we are addressing in another way in parallel and which we will fix as well».

DISCLOSURE TIMELINE

03/08/2009 Initial vendor notification. Secure contacts requested.
04/08/2009 Vendor response 
06/08/2009 Vulnerability details sent. No reply.
11/08/2009 Vulnerability details sent. Confirmation requested.
13/08/2009 Vendor accepted information for analysis
31/08/2009 Update status query sent
01/09/2009 Vendor confirmed vulnerability and provided vulnerable products list
08/09/2009 Planned disclosure date was sent to vendor
30/09/2009 Vendor asked to move disclosure date for November
31/10/2009 Third party advisory regarding same vulnerability has been released: http://www.securityfocus.com/archive/1/507615/30/0/threaded
09/11/2009 Vendor released advisory and hotfixes:
http://www.pandasecurity.com/homeusers/support/card?id=80164&idIdioma=2
11/11/2009 Coordinated disclosure. Advisory released.

CREDITS

Maxim A. Kulakov (ShineShadow) 
ss_contacts[at]hotmail.com