Panda Security Products Insecure DLL Loading Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in multiple Panda Security products, including Panda Global Protection 2016, Panda Antivirus Pro 2016, Panda Small Business Protection, and Panda Internet Security 2016, all versions through 16.1.2. The vulnerability arises because PSEvents.exe runs hourly with SYSTEM privileges and loads DLL files from a user-writable directory without proper validation. An attacker with low-privileged access who can write DLL files to the monitored directory can execute arbitrary code with SYSTEM privileges.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with executed code running under the SYSTEM account.

Reproduction

The vulnerability can be reproduced by writing a malicious DLL file into the directory monitored by PSEvents.exe. This executable checks for certain DLLs when it runs, and if a malicious DLL is present, it will be loaded and executed. The same exploitation method can be applied to other executables in the Panda Downloads directory, such as PSDevice.exe and PSProfiler.exe.

Remediation

Users are advised to install the hotfix provided by Panda Security for this vulnerability.