Vigil@nce: Panda, privilege elevation
January 2010 by Vigil@nce
A local attacker can obtain LocalSystem privileges by creating a
Trojan horse in the installation directory of Panda products.
– Severity: 2/4
– Consequences: administrator access/rights
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: unique source (2/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 11/01/2010
IMPACTED PRODUCTS
– Panda Antivirus
– Panda Internet Security
DESCRIPTION OF THE VULNERABILITY
Panda products install their files under the following directories:
%ProgramFiles%\Panda Security\Panda xyz\
%ProgramFiles%\Panda Software\AVNT\
%ProgramFiles%\Panda Software\AVTC\
However, Panda adds an "Everyone:Full Control" ACL on these
directories. An attacker can therefore replace files contained in
these directories. He can for example replace programs
(PavFnSvr.exe, PavSrv51.exe, PavSrvX86.exe, PsCtrlS.exe,
PSHost.exe, PskSvc.exe, PskMsSvc.exe, PsImSvc.exe, TPSrv.exe)
which are started as a service, with LocalSystem privileges.
The TruePrevent service forbids these modifications. However, this
service is disabled when the system is booted in Safe Mode.
A local attacker can therefore restart the system in Safe Mode,
and then replace Panda files, in order to obtain LocalSystem
privileges.
CHARACTERISTICS
– Identifiers: 20100111 80173 EN, NSOADV-2010-001, VIGILANCE-VUL-9331
– Url: http://vigilance.fr/vulnerability/Panda-privilege-elevation-9331