-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory: avast! 4.7 aavmker4.sys Kernel Memory Corruption
Advisory ID: TKADV2008-002
Revision: 1.0
Release Date: 2008/03/30
Last Modified: 2008/03/30
Date Reported: 2008/03/16
Author: Tobias Klein (tk at trapkit.de)
Affected Software: avast! 4.7 Professional Edition
avast! 4.7 Home Edition
Remotely Exploitable: No
Locally Exploitable: Yes
Vendor URL: http://www.avast.com
Vendor Status: Vendor has released a fixed version
Patch development time: 13 days

======================
Vulnerability details:

The kernel driver aavmker4.sys shipped with avast! 4.7 contains a vulnerability in
the code that handles IOCTL requests. Exploitation of this vulnerability can result
in:

1) local denial of service attacks (system crash due to a kernel panic), or

2) local execution of arbitrary code at the kernel level (complete system compromise)

The issue can be triggered by sending a specially crafted IOCTL request.

No special user rights are necessary to exploit the vulnerability.

======================
Technical description:

The IOCTL call 0xb2d60030 of the aavmker4.sys kernel driver shipped with avast!
4.7 accepts user supplied input that doesn't get validated enough. In consequence
it is possible to overwrite arbitrary memory addresses with arbitrary values.

Disassembly of aavmker4.sys (version 4.7.1098.0):

[…]
.text:00010D28 cmp eax, 0B2D60030h <– (1)
.text:00010D2D jz short loc_10DAB
[…]
.text:00010DAB loc_10DAB:
.text:00010DAB xor edi, edi
.text:00010DAD cmp byte_1240C, 0
.text:00010DB4 jz short loc_10DC9
[…]
.text:00010DC9 loc_10DC9:
.text:00010DC9 mov esi, [ebx+0Ch] <– (2)
.text:00010DCC cmp [ebp+InputBufferLength], 878h <– (3)
.text:00010DD3 jz short loc_10DDF
[…]
.text:00010DDF
.text:00010DDF loc_10DDF:
.text:00010DDF mov [ebp+var_4], edi
.text:00010DE2 cmp [esi], edi <– (4)
.text:00010DE4 jz short loc_10E34
.text:00010DE6 mov eax, [esi+870h] <– (5)
.text:00010DEC mov [ebp+v38_uc], eax
.text:00010DEF cmp dword ptr [eax], 0D0DEAD07h <– (6)
.text:00010DF5 jnz short loc_10E00
.text:00010DF7 cmp dword ptr [eax+4], 10BAD0BAh <– (7)
.text:00010DFE jz short loc_10E06
[…]
.text:00010E06 loc_10E06:
.text:00010E06 xor edx, edx
.text:00010E08 mov eax, [ebp+v38_uc]
.text:00010E0B mov [eax], edx
.text:00010E0D mov [eax+4], edx
.text:00010E10 add esi, 4 <– (8)
.text:00010E13 mov ecx, 21Ah <– (9)
.text:00010E18 mov edi, [eax+18h] <– (10)
.text:00010E1B rep movsd <– (11)
[…]

(1) Vulnerable IOCTL control code
(2) ESI now points to user controlled IOCTL input data
(3) The size of the IOCTL input data must be 0x878
(4) Minor check of the user supplied data
(5) EAX now also points to the user controlled IOCTL input data
(6) + (7) Minor checks of the user supplied data
(8) The user supplied data (ESI) is used as source data for the following memcpy
function
(9) The number of bytes that get copied by the following memcpy function (ECX)
(10) A user controlled memory address (EDI) is used as a destination for the
following memcpy function
(11) The memcpy function copies 0x21a bytes of user controlled data to a user
controlled memory address

This can be exploited to control the kernel execution flow and to execute arbitrary
code at the kernel level.

=========
Solution:

Update to avast! 4.8 Professional Edition or avast! 4.8 Home Edition.

• http://www.avast.com/eng/download-avast-professional.html
• http://www.avast.com/eng/download-avast-home.html

========
History:

2008/03/16 - Vendor notified using [email protected]
2008/03/17 - Vendor response with PGP key
2008/03/18 - Detailed vulnerability information sent to the vendor
2008/03/19 - Vendor confirms the vulnerability
2008/03/29 - Vendor releases updated version
2008/03/30 - Full technical details released to general public

========
Credits:

Vulnerability found and advisory written by Tobias Klein.

===========
References:

[1] http://www.avast.com/eng/avast-4-home_pro-revision-history.html

[2] http://www.trapkit.de/advisories/TKADV2008-002.txt

========
Changes:

Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release

===========
Disclaimer:

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

==================
PGP Signature Key:

http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

Copyright 2008 Tobias Klein. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBR++EWpF8YHACG4RBEQKQ+ACgknAvgNWbSozd2x6nl+OCm2Xow0UAoL0N
Q2Nlb3TYjsNpgFAL/BF3ODUf
=7nKB
-----END PGP SIGNATURE-----