Tried, Tested and Proven

Vulnerability title: Privilege Escalation In Panda Security

CVE: CVE-2014-5307
Vendor: Panda Security
Product: Multiple
Affected version: Panda 2014 Products
Fixed version: Hotfix hft131306s24_r1
Reported by: Kyriakos Economou

Details:

Latest, and possibly earlier builds, of the PavTPK.sys kernel mode driver of Panda Security software suffers from a heap overflow bug that allows any user to elevate their privileges through an IOCTL request and execute code as SYSTEM by controlling the EIP via a corrupted kernel object.
Upon unsuccessful exploitation the system will crash with a BSoD.
This driver is loaded into kernel memory during boot time and stays resident without touching the disk later.
All Panda Security products using the faulty driver were found to be vulnerable.

Technical Details:

By using IOCTL 0×222008 with a crafted input buffer, the following block of instructions is reached. This is the first part of the cause that leads to the heap overflow bug, because any process can easily manipulate information in its own Process Environment Block structure (PEB).
However, the root cause of the heap overflow will be examined later.

Read Information from PEB:

80536bf0 89448fe4 mov dword ptr [edi+ecx*4-1Ch],eax
80536bf4 8b448ee8 mov eax,dword ptr [esi+ecx*4-18h]
80536bf8 89448fe8 mov dword ptr [edi+ecx*4-18h],eax
80536bfc 8b448eec mov eax,dword ptr [esi+ecx*4-14h]
80536c00 89448fec mov dword ptr [edi+ecx*4-14h],eax
80536c04 8b448ef0 mov eax,dword ptr [esi+ecx*4-10h]
80536c08 89448ff0 mov dword ptr [edi+ecx*4-10h],eax
80536c0c 8b448ef4 mov eax,dword ptr [esi+ecx*4-0Ch]
80536c10 89448ff4 mov dword ptr [edi+ecx*4-0Ch],eax
80536c14 8b448ef8 mov eax,dword ptr [esi+ecx*4-8]
80536c18 89448ff8 mov dword ptr [edi+ecx*4-8],eax
80536c1c 8b448efc mov eax,dword ptr [esi+ecx*4-4];ds:0023:7ffdd010=00360000
80536c20 89448ffc mov dword ptr [edi+ecx*4-4],eax

The PRTL_USER_PROCESS_PARAMETERS pointer(in bold) inside the PEB structure can be manipulated so that it points to a location that contains data that an attacker fully controls.
In the example above, we have hijacked the pointer with another pointing to 0×00360000, so the driver will use that one later.

At our buffer+0×38 we can set the value size used to allocate memory through a call to ExAllocatePoolWithTag.

In this case at address 0×00360038 we can write a DWORD, for example 0×41412020, but only the low WORD is taken in consideration for memory allocation.
So we can copy 0×2020 bytes of data we control there. This data will overflow a heap buffer later used by the driver which is always of size 0×1004.
Further manipulation of that buffer is needed, but this information is not necessary in order to explain the vulnerability as shown below.

b70b8339 6800100000 push 1000h
b70b833e 6a00 push 0
b70b8340 56 push esi
b70b8341 e800370000 call PavTPK!GetThreads+0x3a28 <--- zero out dest buf (Total size 0x1004)
b70b8346 0fb745c0 movzx eax,word ptr [ebp-40h] <-- read our value 0x2020
b70b834a d1e8 shr eax,1 <-- divide by two to copy data per WORD size
b70b834c 50 push eax
b70b834d ff75c4 push dword ptr [ebp-3Ch]
b70b8350 56 push esi
b70b8351 ff1524d00bb7 call dword ptr [PavTPK!GetThreads+0x5006 (b70bd024)] ds:0023:b70bd024={nt!wcsncpy (80537f29)} <--- heap overflow since destination buffer is smaller than the data copied

Impact:

This vulnerability results in local privilege escalation.

Exploit:

The proof of concept exploit is available.

Vendor status:

19/06/2014 Advisory created
14/07/2014 Vendor contacted
16/07/2014 Vendor working on a fix
18/07/2014 Fix released
22/07/2014 Fix confirmed
27/07/2014 Confirmed advisory release date with vendor
18/08/2014 CVE obtained
18/08/2014 Published
Copyright:

Copyright © Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.