Unsafe file permissions in Panda Antivirus

On installation, anti-virus products from Panda allocate full access rights to all users for the program folder and the files contained in it. This allows users with restricted user accounts to escalate their privileges by replacing the Panda service executable files with programs of their choice.

The problem is not new: c't has repeatedly referred to this problem in previous tests of anti-virus software. Panda remedied the problem in version 11.01.00 of Internet Security Suite 2007, by having the suite monitor and deny access to the files. However, no update has been released for Panda Antivirus 2007, in which users can replace services including pavsrv51.exe, psimsvc.exe and psctrls.exe with their own applications.

The bug is also present in the recently released Panda Antivirus 2008. By contrast, Internet Security Suite 2008 is, like its predecessor, protected. The marketing director of Panda Germany, Markus Mertes, has confirmed the existence of the vulnerability to heise Security. The development team are, however, currently testing a patch which should resolve the problem. Mertes stated that the bug should be fixed in the course of today (Wednesday). However it remains unclear whether the patch will be distributed via automatic update or whether users will need to download and install a complete installer manually.

Certainly a more elegant solution would be to use the standard Windows file and folder privileges for program folders and install updates, for example, via a service possessing the rights required to do so. Other anti-virus software vendors rely on such a mechanism and have not had to deal with vulnerabilities permitting privilege escalation as a result of lax file rights.

See also:

• Panda Antivirus 2008 Local Privileg Escalation, security advisory from tarkus
• Panda Antivirus EoP, security advisory on the vulnerability in Panda Antivirus 2007

(mba)