-Panda Internet Security 2009
-Panda Antivirus Pro 2009
-Panda Internet Security 2008
-Panda Antivirus + Firewall 2008
-Panda Platinum 2007 Internet Security
-Panda Platinum 2006 Internet Security
Affected Component: Corporate Products:
-Panda Security for Desktops 4.05.10
-Panda Security for File Servers 8.04.10
-Panda Internet Security 2009
-Panda Antivirus Pro 2009
-Panda Internet Security 2008
-Panda Antivirus + Firewall 2008
-Panda Platinum 2007 Internet Security
-Panda Platinum 2006 Internet Security
Affected Component: Corporate Products:
-Panda Security for Desktops 4.05.10
-Panda Security for File Servers 8.04.10
Description:
- ------------
1. During installation of Panda Antivirus 2008 the permissions for
installation folder %ProgramFiles%\Panda Security\Panda Antivirus
2008by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are
started
under LocalSystem account. There is no protection of service files.
It's
All files under the install folder have Full control access for everyone and can be replace with malicious files.
... snip ...
C:\Program Files\Panda Security\Panda Global Protection 2010\PavFnSvr.exe Everyone:F
... snip ...
C:\>WHOAMI.EXE
FUZZYXP\test
PRL> All files under the install folder have Full control access
PRL> for everyone and can be replace with malicious files.
PRL> ... snip ...
PRL> C:\Program Files\Panda Security\Panda Global Protection 2010\PavFnSvr.exe Everyone:F
PRL> ... snip ...
C:\>>WHOAMI.EXE
PRL> FUZZYXP\test
Description:
------------
1. During installation of Panda Antivirus 2008 the permissions for
installation folder %ProgramFiles%\Panda Security\Panda Antivirus 2008\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account. There is no protection of service files. It's
possible for unprivileged user to replace service executable with the
file of his choice to get full access with LocalSystem privileges. Or to
DETAILS
Panda installs the own program files with insecure permissions (Everyone: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Panda services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, in Panda Antivirus Pro 2010 the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the Panda Antivirus program files by malicious executable file. For example, the replacing file could be - %Program Files%\Panda Security\Panda Antivirus Pro 2010\TPSrv.exe (Panda TPSrv service).
2. Restart the system.
After restart attackers malicious file will be executed with SYSTEM privileges. Self-defense of Panda Antivirus will prevent all operations with Panda program files. It can be bypassed using "Open" dialog in "Quarantine -> Add file" functionality.
