Panda Security Software Local Privilege Escalation

[ss_contacts@xxxxxxxxxxx (Maxim A. Kulakov)]

ShineShadow Security Report 11112009-14

TITLE

Panda Security Software Local Privilege Escalation

BACKGROUND

Panda Security is a global leading provider of IT security solutions, with 
millions of clients in more than 200 countries and products available in 23 
languages. Our mission is to develop and supply global security solutions to 
keep our clients' IT resources safe from the damage inflicted by viruses, 
intruders and other Internet threats at the lowest possible Total Cost of 
Ownership. Panda Security proposes a new security model, specially designed to 
firmly combat new types of cyber-crime. This results in technologies and 
products with much greater detection and efficiency rates than the market 
average, providing a higher level of security to our users.

Source: http://www.pandasecurity.com

VULNERABLE PRODUCTS

Panda Antivirus Pro 2010 (9.01.00)
Panda Internet Security 2010 (15.01.00)
Panda Total Protection 2010 (3.01.00)

Prior versions may also be affected.

DETAILS

Panda installs the own program files with insecure permissions (Everyone: Full 
Control). Local attacker (unprivileged user) can replace some files (for 
example, executable files of Panda services) by malicious file and execute 
arbitrary code with SYSTEM privileges. This is local privilege escalation 
vulnerability.
For example, in Panda Antivirus Pro 2010 the following attack scenario could be 
used:

1. An attacker (unprivileged user) replaces one of the Panda Antivirus program 
files by malicious executable file. For example, the replacing file could be - 
%Program Files%\Panda Security\Panda Antivirus Pro 2010\TPSrv.exe (Panda TPSrv 
service).

2. Restart the system.

After restart attackers malicious file will be executed with SYSTEM privileges. 
Self-defense of Panda Antivirus will prevent all operations with Panda program 
files. It can be bypassed using "Open" dialog in  "Quarantine -> Add file" 
functionality.

For other vulnerable Panda products similar attack scenario could be used.

EXPLOITATION

An attacker must have local access and valid logon credentials to a system 
where vulnerable software is installed.

WORKAROUND

Panda Security has developed a hotfixes to resolve the vulnerability:

Panda Antivirus Pro 2010
http://www.pandasecurity.com/resources/sop/PAVPro10/hft90906s15_r1.exe
Panda Internet Security 2010
http://www.pandasecurity.com/resources/sop/PIS10/hfp150906s19_r1.exe
Panda Global Protection 2010
http://www.pandasecurity.com/resources/sop/PGP10/hfgp30910s1_r7.exe

More detail:  
http://www.pandasecurity.com/homeusers/support/card?id=80164&idIdioma=2

Insecure permissions of Panda program files have not been fixed, vendor solved 
the vulnerability  by improving of Panda self-defense. Regarding insecure 
permissions vendor response the following:
«As you correctly state this doesn?t fix the underlying problem, which we are 
addressing in another way in parallel and which we will fix as well».

DISCLOSURE TIMELINE

03/08/2009 Initial vendor notification. Secure contacts requested.
04/08/2009 Vendor response 
06/08/2009 Vulnerability details sent. No reply.
11/08/2009 Vulnerability details sent. Confirmation requested.
13/08/2009 Vendor accepted information for analysis
31/08/2009 Update status query sent
01/09/2009 Vendor confirmed vulnerability and provided vulnerable products list
08/09/2009 Planned disclosure date was sent to vendor
30/09/2009 Vendor asked to move disclosure date for November
31/10/2009 Third party advisory regarding same vulnerability has been released: 
http://www.securityfocus.com/archive/1/507615/30/0/threaded
09/11/2009 Vendor released advisory and hotfixes:
http://www.pandasecurity.com/homeusers/support/card?id=80164&idIdioma=2
11/11/2009 Coordinated disclosure. Advisory released.

CREDITS

Maxim A. Kulakov (ShineShadow) 
ss_contacts[at]hotmail.com