Home / exploitsPDF  

Panda Security URL Filtering Privilege Escalation

Posted on 30 November -0001

<HTML><HEAD><TITLE>Panda Security URL Filtering Privilege Escalation</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>* CVE: CVE-2015-7378 * Vendor: Panda Security * Reported by: Kyriakos Economou * Date of Release: 05/04/2016 * Affected Products: Multiple * Affected Version: Panda Security URL Filtering < v4.3.1.9 * Fixed Version: Panda Security URL Filtering v4.3.1.9 Description: All Panda Security 2016 Home User products for Windows are vulnerable to privilege escalation, which allows a local attacker to execute code as SYSTEM from any account (Guest included), thus completely compromising the affected host. Affected Products: Panda Gold Protection 2016 v16.0.1 Panda Global Protection 2016 v16.0.1 Panda Internet Security 2016 v16.0.1 Panda Antivirus Pro 2016 v16.0.1 Panda Free Antivirus v16.0.1 Impact: A local attacker can elevate his privileges from any user account and execute code as SYSTEM. Technical Details: By default all the aforementioned products install (current version:4.3.0.4), which creates a service named 'panda_url_filtering' that runs as SYSTEM. The executable modules are by default installed in "C:ProgramDataPanda Security URL Filtering" directory. However, the ACLs assigned to the directory itself, and to the rest of the installed files, allow any user to modify those files and/or substitute them with malicious ones. A local attacker can easily execute code with SYSTEM account privileges by modifying or substituting the main executable module of this service, 'Panda_URL_Filteringb.exe', which will run at the next reboot of the host. Disclosure Log: Vendor Contacted: 28/09/2015 Public Disclosure: 05/04/2016 Copyright: Copyright (c) Nettitude Limited 2016, All rights reserved worldwide. Disclaimer: The information herein contained may change without notice. Any use of this information is at the user's risk and discretion and is provided with no warranties. Nettitude and the author cannot be held liable for any impact resulting from the use of this information. Kyriakos Economou Vulnerability Researcher [logo]<http://www.nettitude.co.uk/> P +44 (0) 845 520 0085 ext 1189 F +448455 200 222 <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="bcd7d9dfd3d2d3d1d3c9fcd2d9c8c8d5c8c9d8d992dfd3d1">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script><mailto:<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="d1bab4b2bebfbebcbea491bfb4a5a5b8a5a4b5b4ffb2bebc">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>%0d> www.nettitude.co.uk<http://www.nettitude.co.uk/> Nettitude NEWS #Nettitude awarded MSSP of the Year by LogRhythm #Nettitude features on NBC<http://www.nettitude.com/nbc-interview/> [Nettitude Awards]<http://www.nettitude.com/> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nettitude Limited: 1 Jephson Court * Tancred Close * Leamington Spa * Warwickshire * CV31 3RZ Nettitude Inc: 85 Broad Street * 17th Floor * New York * NY10004 * EIN No.36-4694227 Twitter<https://twitter.com/Nettitude_com> * LinkedIn<http://uk.linkedin.com/company/nettitude-group> * Google Plus<https://plus.google.com/+Nettitude-penetrationtesting/posts> * FaceBook<https://www.facebook.com/Nettitude> * YouTube<http://www.youtube.com/channel/UCRUUESU5OTfRte0P-pm2MZQ> * Threat2Alert<http://www.threat2alert.com/> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LOVE REFERRALS - please pass our contact details on <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="196a76756c6d7076776a59777c6d6d706d6c7d7c377a7674">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script><mailto:<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="ddaeb2b1a8a9b4b2b3ae9db3b8a9a9b4a9a8b9b8f3beb2b0">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>>. Thank you! ______________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Nettitude employ a secure email policy for sending emails to customers. Should your email service support ESMTP, you will likely have received this email over TLS. We also utilise a backup secure service via Cisco Registered Envelope Service. For more information visit https://res.cisco.com/websafe/about This footnote also confirms that this email message has been swept by a content checking tool for the presence of computer viruses. Nettitude Limited is a Company registered in England Registered Address Nettitude Limited, 1 Jephson Court, Tancred Close, Leamington Spa, Warwickshire, CV31 3RZ Company Registration Number: 4705154 VAT Number: 184 5171 96 www.nettitude.com </BODY></HTML>

 

TOP