Информационная безопасность
[RU] switch to English

Дополнительная информация

  Многочисленные уязвимости в Panda Internet Security (multiple bugs)

  Panda Antivirus 2008 Local Privileg Escalation (UPS they did it again)

  Re: SECURITY.NNOV: Panda Platinum Internet Security privilege escalation / bayesian filter control security vulnerabilities

From:3APA3A <3APA3A_(at)_security.nnov.ru>
Date:7 сентября 2006 г.
Subject:SECURITY.NNOV: Panda Platinum Internet Security privilege escalation / bayesian filter control security vulnerabilities


We  have more and more application to secure our networks. Does it means
network  becomes  more  and  more  secure? No, there is a limit. Because
_any_  application  has  vulnerabilities.  For  in much security is much
grief: and he that increaseth code increaseth bugs [1].

Title:       Panda Platinum Internet Security 2006/2007 privilege escalation
            and bayesian filter control security vulnerabilities
Author:      3APA3A <[email protected]>
Vendor:      Panda Software
Product:     Panda Platinum Internet Security 2006 10.02.01
            Panda Platinum Internet Security 2007 11.00.00
            Panda Antivirus was not tested
            1. Local, privilege escalation (insecure file
            2. Remote, against client (bayesian filter control)
Rating:      High (privilege escalation)
            Low (bayesian filter control)
Advisory:    http://www.security.nnov.ru/advisories/pandais.asp


Panda  Platinum  Internet  Security 2006/2007 is Internet security suite
(Antivirus, Personal Firewall, Antispam) from Panda Software.


1.  Insecure  file  permissions  allow unprivileged local user to obtain
system-level access or access to account of another logged on user.
2.  Insecure  design  of  SPAM  filtering  control  engine allows remote
attacker  to  control  bayesian self leaning SPAM filtering process from
malicious Web page.


1.  During  installation  of  Panda Platinum Internet Security 2006/2007
permissions for installation folder
%ProgramFiles%\Panda Software\Panda Platinum 2006 Internet Security\
%ProgramFiles%\Panda Software\Panda Platinum 2007 Internet Security\
by  default  are  set  to Everyone:Full Control without any warning. Few
services  (e.g.  WebProxy.exe  for  Platinum  2006  or  PAVSRV51.EXE for
Platinum  2007) are started from this folder. Services are started under
LocalSystem  account.  There  is  no  protection  of service files. It's
possible  for  unprivileged  user to replace service executable with the
file of his choice to get full access with LocalSystem privileges. Or to
get  privileges  or any user (including system administrator) who logons
to vulnerable host. This can be exploited as easy as:

   a. Rename  WebProxy.exe  (for Platinum 2006 or  another service for
      Platinum 2007, because under 2007 WebProxy.exe  is not executed
      as a service) to WebProxy.old in Panda folder
   b. Copy any application to WebProxy.exe
   c. Reboot

Upon  reboot  trojaned  application  will  be  executed with LocalSystem

2.   To  manage  SPAM  filtering  for messages received with POP3, Panda
starts  Web  server  on  the interface with port 6083 and adds
text like
Text inserted by Platinum 2007:

This message has NOT been classified as spam. If it is unsolicited mail (spam), click on the following link to reclassify it:
By  clicking  the  link  user  can  classify  message  as a spam or not.
ID=pav_XXX  parameters  contains  ID  of  the  message,  where  XXX  is
sequential  message  number.  On  reply, this message is not filtered or
First, it leaks information about correspondence flow user has.
Second, it's possible for malicious Web page to use something like
[IMG SRC=""]
[IMG SRC=""]
[IMG SRC=""]
It  will  cause incorrect message classification as a SPAM and will lead
to unpredictable filter behavior.


11.08.2006 Panda Software was contacted via [email protected],
          [email protected], [email protected], [email protected]
15.08.2006 [email protected]  (Panda Software Russia) was contacted in Russian
16.08.2006 Response from Panda Software Russia
16.08.2006 Additional details sent to Panda Software Russia
17.08.2006 Panda  Software  launches Panda Internet Security 2007 which
          suffers from the same vulnerabilities

1. Ecc 1:18

       { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород