Tried, Tested and Proven

Vulnerability title: Arbitrary Code Execution In Panda Security Multiple Products [PSKMAD.sys]

CVE: CVE-2015-1438
Vendor: Panda Security
Product: Multiple Products
Affected version:
Fixed version: 15.1.0
Reported by: Kyriakos Economou


Panda Kernel Memory Access Driver doesn’t validate the size of data to be copied to both an allocated kernel paged pool buffer and to an allocated non-paged pool buffer. Furthermore, the attacker has control over the start-to-copy index regarding the non-paged pool buffer which allows an attacker to corrupt a kernel object with more precision, and control the EIP via a hijacked function pointer.

b5ae8cc5 8b7508 mov esi,dword ptr [ebp+8]<-- ESI input_buffer
b5ae8cc8 0fb7460c movzx eax,word ptr [esi+0Ch] <-- EAX read size of paged pool buffer to allocate from input buffer
b5ae8ccc 6685c0 test ax,ax
b5ae8ccf 7674 jbe PSKMAD_b5ae4000+0x4d45 (b5ae8d45)
b5ae8cd1 668b4e0e mov cx,word ptr [esi+0Eh]
b5ae8cd5 668945f4 mov word ptr [ebp-0Ch],ax
b5ae8cd9 0fb7c0 movzx eax,ax
b5ae8cdc 6850534d45 push 454D5350h <-- 'PSME' pool tag
b5ae8ce1 50 push eax <-- size of paged pool buffer to allocate
b5ae8ce2 6a01 push 1 <-- indicates paged pool 
b5ae8ce4 66894df6 mov word ptr [ebp-0Ah],cx
b5ae8ce8 ff159ca6aeb5 call dword ptr [PSKMAD_b5ae4000+0x669c]={nt!ExAllocatePoolWithTag}
b5ae8cee 8945f8 mov dword ptr [ebp-8],eax
b5ae8cf1 85c0 test eax,eax
b5ae8cf3 7550 jne PSKMAD_b5ae4000+0x4d45 (b5ae8d45)
b5ae8d45 8d4608 lea eax,[esi+8]
b5ae8d48 50 push eax <-- ptr to input buffer for storing the length of the returned symbolic link target
b5ae8d49 8d45f4 lea eax,[ebp-0Ch]
b5ae8d4c 50 push eax <-- ptr to unitialized Unicode string to store symbolic link target (the paged pool buffer previously allocated)
b5ae8d4d ff36 push dword ptr [esi] <-- handle to the symbolic link object
b5ae8d4f ff1514a7aeb5 call dword ptr [PSKMAD_b5ae4000+0x6714]={nt!ZwQuerySymbolicLinkObject} <--- Heap Overflow because we control the size of the paged pool buffer that was allocated.
b5ae8d55 894604 mov dword ptr [esi+4],eax
b5ae8d58 85c0 test eax,eax
b5ae8d5a 7d09 jge PSKMAD_b5ae4000+0x4d65 (b5ae8d65)
b5ae8d65 0fb745f4 movzx eax,word ptr [ebp-0Ch] 
b5ae8d69 50 push eax <-- EAX length of symbolic link target
b5ae8d6a 8b4610 mov eax,dword ptr [esi+10h] <-- EAX index to copy the symbolic link target. this is also been read from our input buffer.
b5ae8d6d ff75f8 push dword ptr [ebp-8] <-- address of paged pool buffer where the symbolic link target is stored
b5ae8d70 03c6 add eax,esi <-- ESI points to our input buffer (non paged pool).
b5ae8d72 50 push eax <-- So we control the full address of where the symbolic link target will start being copied into the buffer towards higher addresses.
b5ae8d73 e864120000 call PSKMAD_b5ae4000+0x5fdc (b5ae9fdc) <-- jmp to {nt!memcpy} <--- Heap Overflow because we can control where to start copying in the non-paged pool buffer allocated during the call to DeviceIoControl API.


An exploit can potentially use either of the two aforementioned bugs to trigger a heap overflow condition that would allow to execute code with Kernel privileges. However, the second heap overflow bug is much more interesting because it allows a precise control of the index to start copying the symbolic link target returned by a call to the nt!ZwQuerySymbolicLinkObject kernel function.

This allows an attacker to corrupt with precision a kernel object that we control that has been previously put there by performing heap spraying at the non-paged kernel pool. The attacker can use part of the symbolic link target as a pointer to a predictable memory range in userland where a trampoline to the payload is stored.


The proof of concept exploit is available.


The vendor has released a patch.

Vendor status:

10/11/2014 Advisory created
20/01/2015 Vendor contacted
30/01/2015 Vendor working on a fix
09/02/2015 CVE obtained
25/06/2015 Published

Copyright © Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.


The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.