exploit the possibilities

Avast 11.1.2245 Heap Overflow

Avast 11.1.2245 Heap Overflow
Posted Feb 21, 2016
Authored by Kyriakos Economou

Avast versions 11.1.2245 and below suffer from a heap overflow bug in the Avast Virtualization kernel mode driver (aswSnx.sys).

tags | advisory, overflow, kernel
advisories | CVE-2015-8620
MD5 | 6127c57faed270d3bdc04b3747c68c28

Avast 11.1.2245 Heap Overflow

Change Mirror Download
* CVE: CVE-2015-8620
* Vendor: Avast
* Reported by: Kyriakos Economou
* Date of Release: 17/02/2016
* Affected Products: Multiple
* Affected Version: <= v11.1.2245
* Fixed Version: v11.1.2253

Description:
A heap overflow bug in the Avast Virtualization kernel mode driver (aswSnx.sys) allows a local attacker to elevate his privileges from any account type and execute code as SYSTEM.


Affected Products:

Avast Internet Security v11.1.2245
Avast Pro Antivirus v11.1.2245
Avast Premier v11.1.2245
Avast Free Antivirus v11.1.2245

Earlier versions of these products are affected as well.


Technical Details:

The Avast virtualization kernel mode driver (aswSnx.sys) does not validate the length of absolute Unicode file paths in some of the IOCTL requests that receives from userland, which are later copied on fixed length paged pool memory allocations. This allows to corrupt a kernel object that the attacker controls, and execute code as SYSTEM.

Example:

kd> !pool a8f45816
Pool page a8f45816 region is Paged pool
a8f45000 size: 418 previous size: 0 (Allocated) Dire (Protected) <--- object controlled by the attacker
a8f45418 size: 3b8 previous size: 418 (Free) ....
*a8f457d0 size: 418 previous size: 3b8 (Allocated) *SnxN <--- attacker overflows this chunk
a8f45be8 size: 418 previous size: 418 (Allocated) Dire (Protected) <--- object controlled by the attacker


Further reading: https://www.nettitude.co.uk/exploiting-a-kernel-paged-pool-buffer-overflow-in-avast-virtualization-driver

Disclosure Log:
Vendor Contacted: 23/12/2015
Public Disclosure: 17/02/2016

Copyright:
Copyright (c) Nettitude Limited 2016, All rights reserved worldwide.

Disclaimer:
The information herein contained may change without notice. Any use of this information is at the user's risk and discretion and is provided with no warranties. Nettitude and the author cannot be held liable for any impact resulting from the use of this information.


Kyriakos Economou
Vulnerability Researcher

[logo]<http://www.nettitude.co.uk/>

P +44 (0) 845 520 0085 ext 1189
F +448455 200 222
keconomou@nettitude.com<mailto:keconomou@nettitude.com%0d>
www.nettitude.co.uk<http://www.nettitude.co.uk/>


Nettitude NEWS
#Nettitude awarded MSSP of the Year by LogRhythm
#Nettitude features on NBC<http://www.nettitude.com/nbc-interview/>
[Nettitude Awards]<http://www.nettitude.com/>
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Nettitude Limited: 1 Jephson Court * Tancred Close * Leamington Spa * Warwickshire * CV31 3RZ
Nettitude Inc: 85 Broad Street * 17th Floor * New York * NY10004 * EIN No.36-4694227
Twitter<https://twitter.com/Nettitude_com> * LinkedIn<http://uk.linkedin.com/company/nettitude-group> * Google Plus<https://plus.google.com/+Nettitude-penetrationtesting/posts> * FaceBook<https://www.facebook.com/Nettitude> * YouTube<http://www.youtube.com/channel/UCRUUESU5OTfRte0P-pm2MZQ> * Threat2Alert<http://www.threat2alert.com/>
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LOVE REFERRALS - please pass our contact details on solutions@nettitude.com<mailto:solutions@nettitude.com>. Thank you!

______________________________________________________________________
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.

Nettitude employ a secure email policy for sending emails to customers. Should your email service support ESMTP, you will likely have received this email over TLS. We also utilise a backup secure service via Cisco Registered Envelope Service. For more information visit https://res.cisco.com/websafe/about

This footnote also confirms that this email message has been swept by a content checking tool for the presence of computer viruses.

Nettitude Limited is a Company registered in England
Registered Address
Nettitude Limited, 1 Jephson Court, Tancred Close, Leamington Spa, Warwickshire, CV31 3RZ
Company Registration Number: 4705154
VAT Number: 184 5171 96
www.nettitude.com
______________________________________________________________________

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    2 Files
  • 18
    Feb 18th
    27 Files
  • 19
    Feb 19th
    32 Files
  • 20
    Feb 20th
    15 Files
  • 21
    Feb 21st
    17 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close