Panda Global Security 17.0.1 NULL DACL Grants Full Access

`=====[ Tempest Security Intelligence - ADV-17/2018 ]===  
  
Panda Global Security 17.0.1 - NULL DACL grants full access  
-------------------------------------------------------  
Author:  
- Filipe Xavier Oliveira: < filipe.xavier () tempest.com.br >  
  
=====[ Table of Contents  
]=====================================================  
  
* Overview  
* Detailed description  
* Timeline of disclosure  
* Thanks & Acknowledgements  
* References  
  
=====[ Overview  
]==============================================================  
  
* System affected : Panda Global Security [1]  
* Software Version : 17.0.1. Other versions or models may also be affected.  
* Impact : A low priveliged user can access and modify the DACL of pipe  
with full access allowed. The NULL DACL grants full access to any user  
that requests it; normal security checking is not performed with respect  
to the object.  
  
=====[ Detailed description  
]==================================================  
  
Panda Global Protection 17.0.1 allows local users to gain privileges or  
cause a denial of service by impersonating all the pipes through a use  
of \\.\pipe\PSANMSrvcPpal -- an "insecurely created named pipe."  
Ensures full access to Everyone users group.  
  
=====[ Timeline of disclosure  
]===============================================  
  
26/01/2018 - Vendor was informed of the vulnerability.  
01/26/2018 - CVE assigned [2].  
02/05/2018 - Vendor did not respond.  
03/06/2018 - Advisory publication date.  
  
=====[ Thanks & Acknowledgements  
]============================================  
  
- Tempest Security Intelligence / Tempest's Pentest Team [3]  
  
=====[ References  
]===========================================================  
  
[1] - https://www.pandasecurity.com  
[2] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6322  
[3] - http://www.tempest.com.br/  
  
--   
Filipe Oliveira  
Tempest Security Intelligence  
  
  
  
`