[UNIX] Panda Platinum Internet Security 2006/2007 Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Panda Platinum Internet Security 2006/2007 Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

"Panda Platinum Internet Security 2006/2007 is Internet security suite
(Antivirus, Personal Firewall, Antispam) from Panda Software".

There is a local privilage escalation and a filter bypass vulnerability in
Panda Platinum Internet Security.

DETAILS

Vulnerable Systems:
* Panda Platinum Internet Security 2006 10.02.01
* Panda Platinum Internet Security 2007 11.00.00
* Panda Antivirus was not tested

Introduction:
Panda Platinum Internet Security 2006/2007 is Internet security suite
(Antivirus, Personal Firewall, Antispam) from Panda Software.

Description:
1. Insecure file permissions allow unprivileged local user to obtain
system-level access or access to account of another logged on user.
2. Insecure design of SPAM filtering control engine allows remote
attacker to control bayesian self leaning SPAM filtering process from
malicious Web page.

Details:
1. During installation of Panda Platinum Internet Security 2006/2007
permissions for installation folder
%ProgramFiles%\Panda Software\Panda Platinum 2006 Internet Security\
or %ProgramFiles%\Panda Software\Panda Platinum 2007 Internet Security\
by default are set to Everyone:Full Control without any warning. Few
services (e.g. WebProxy.exe for Platinum 2006 or PAVSRV51.EXE for
Platinum 2007) are started from this folder. Services are started under
LocalSystem account. There is no protection of service files. It's
possible for unprivileged user to replace service executable with the
file of his choice to get full access with LocalSystem privileges. Or to
get privileges or any user (including system administrator) who logons
to vulnerable host. This can be exploited as easy as:

a. Rename WebProxy.exe (for Platinum 2006 or another service for
Platinum 2007, because under 2007 WebProxy.exe is not executed as a
service) to WebProxy.old in Panda folder
b. Copy any application to WebProxy.exe
c. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

2. To manage SPAM filtering for messages received with POP3, Panda
starts Web server on the interface 127.0.0.1 with port 6083 and adds
text like:

Text inserted by Platinum 2007:

This message has NOT been classified as spam. If it is unsolicited mail
(spam), click on the following link to reclassify it:
http://127.0.0.1:6083/Panda?ID=pav_8&SPAM=true

By clicking the link user can classify message as a spam or not.
ID=pav_XXX parameters contains ID of the message, where XXX is
sequential message number. On reply, this message is not filtered or
erased.
First, it leaks information about correspondence flow user has.
Second, it's possible for malicious Web page to use something like
[IMG SRC="http://127.0.0.1:6083/Panda?ID=pav_8&SPAM=true";]
[IMG SRC="http://127.0.0.1:6083/Panda?ID=pav_9&SPAM=true";]
[IMG SRC="http://127.0.0.1:6083/Panda?ID=pav_10&SPAM=true";]
It will cause incorrect message classification as a SPAM and will lead
to unpredictable filter behavior. There is no way to flush bayesian
filter state.

Vendor Status:
11.08.2006 Panda Software was contacted via support@xxxxxxxxxxxxxxxxx,
secure@xxxxxxxxxxxxxxxxx, security@xxxxxxxxxxxxxxxxx, support@xxxxxxxxxxx
15.08.2006 support@xxxxxxxxxxx (Panda Software Russia) was contacted in
Russian
16.08.2006 Response from Panda Software Russia
16.08.2006 Additional details sent to Panda Software Russia
17.08.2006 Panda Software launches Panda Internet Security 2007 which
suffers from the same vulnerabilities

References:
1. Ecc 1:18


ADDITIONAL INFORMATION

The information has been provided by: <mailto:3APA3A@xxxxxxxxxxxxxxxx>
3APA3A.
For the original advisory please visit:
<http://www.security.nnov.ru/advisories/pandais.asp>
http://www.security.nnov.ru/advisories/pandais.asp.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages