Privilege escalation with Panda's Internet Security

The 2006 and 2007 versions of Panda's Internet Security Suite enable users to escalate their privileges. Because the software confers during installation full privileges for the group "Any" on the installation folder and all files in this folder, users with accounts with restricted privileges can create, overwrite or delete files in the Panda program folder.

On a test computer, heise Security was able to replace the Panda Suite file WebProxy.exe with a different program using a restricted user account. When the computer was restarted, the program started automatically and had SYSTEM privileges. Any malware which slipped through Panda's filter would be able to embed itself deep into the system using this method.

There is a further vulnerability in the suite's spam filter. This starts a local webserver which listens on port 6083. To register an e-mail as spam with the bayesian filter, the spam filter adds links of the form http://127.0.0.1:6083/Panda?ID=pav_8&SPAM=true to the e-mail. The number after the ID is serial. Websites would be able to render the spam filter useless by marking other e-mails as spam with embedded URLs. It would be sufficient for the user to visit a website containing prepared IMG tags: <IMG SRC="http://127.0.0.1:6083/Panda?ID=pav_8&SPAM=true">.

According to the security bulletin from 3APA3A, the problem affects Panda's Internet Security Suites Platinum 2006 10.02.01 and 2007 11.00.00. According to a statement, 3APA3A informed Panda Russia of the vulnerability in mid August. Panda was unable to tell heise Security when an update would be made available.

See also:

• Panda Platinum Internet Security 2006/2007 privilege escalation and bayesian filter control security vulnerabilities, security bulletin from 3APA3A

(ehe)