Panda Security DLL Hijacking
Posted on 20 January 2016
Hi @ll, the executable installers PANDAIS16.exe, PANDAAP16.exe, PANDAGL16.exe and PANDAGP16.exe available from <www.pandasecurity.com> load and execute (at least) UXTheme.dll, RichEd20.dll and RichEd32.dll from their "application directory". For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> If an attacker places the above named DLLs in the users "Downloads" directory (for example per drive-by download or social engineering) this vulnerability becomes a remote code execution. Due to the application manifest embedded in the executables which specifies "requireAdministrator" the executable installer is run with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password); execution of the DLLs therefore results in an escalation of privilege! Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it as UXTheme.dll in your "Downloads" directory, then copy it as RichEd20.dll and RichEd32.dll; 2. download PANDA{IS,AP,GL,GP}16.exe and save it in your "Downloads" directory; 3. run PANDA{IS,AP,GL,GP}16.exe per double-click from your "Downloads" directory; 4. notice the message boxes displayed from the DLLs placed in step 1. PWNED! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> as well as <http://home.arcor.de/skanthak/!execute.html> and <http://home.arcor.de/skanthak/sentinel.html> for details about this well-known and well-documented BEGINNER'S error! regards Stefan Kanthak PS: I really LOVE (security) software with such trivial beginner's errors. It's a tell-tale sign to stay away from this crapware! Timeline: ~~~~~~~~~ 2015-12-29 sent report to vendor NP ANSWER, not even an acknowledgement of receipt 2016-01-10 resent report to vendor NO ANSWER, not even an acknowledgement of receipt 2016-01-19 report published