[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5dff694d0909230932o19da7fb5rb693682ffb6bc987@mail.gmail.com>
Date: Wed, 23 Sep 2009 16:32:35 +0000
From: evil fingers <contact.fingers@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Avast aswMon2.sys kernel memory corruption and
Local Privilege Escalation
Source:
https://www.evilfingers.com/advisory/Advisory/Avast_aswMon2.sys_kernel_memory_corruption_and_Local_Privilege_Escalation.php
-----------[Avast aswMon2.sys kernel memory corruption and Local Privilege
Escalation]--------->
Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry {AT} GMAIL {DOT} COM<br>
Website: http://evilcry.netsons.org<br <http://evilcry.netsons.org%3cbr/>>
http://evilcodecave.blogspot.com<br <http://evilcodecave.blogspot.com%3cbr/>
>
http://evilcodecave.wordpress.com<br<http://evilcodecave.wordpress.com%3cbr/>
>
http://evilfingers.com<br <http://evilfingers.com%3cbr/>>
***Disclosure Timeline***
Discover Date: Sep 13, 2009 PoC Code: Sep 13, 2009<br>
Vendor Notify: Sep 15,2009 Vendor Reply: Sep 15, 2009<br><br>
After various mails about publishing date
ignored, here the Public Disclosure.
+--------------------------------------------------------------------------+
Product: Avast antivirus 4.8.1351.0 (other versions could be affected)
Affected Component: aswMon2.sys 4.8.1351.0
Category: Local Denial of Service due to kernel memory corruption (BSOD)
(untested) Local Privilege Escalation
+---------------------------------------------------------------------------+
--------------------------[Details]--------------->
Avast's aswMon2.sys Driver does not sanitize user supplied input IOCTL) and
this lead to a kernel memory corruption that propagates
on the system with a BSOD and potential risk of Privilege
Escalation.<br><br>
00010F70 cmp [ebp+arg_C], 288h ;InBuff Len no other checks
performed<br>
00010F77 jnz loc_111AC<br>
00010F7D mov esi, [ebp+SourceString]<br>
00010F80 cmp [esi], ebx<br>
00010F82 mov [ebp+arg_C], ebx<br><br>
Affected IOCTL is B2C80018<br><br>
UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)<br><br>
Transfer Type: METHOD_BUFFERED<br><br>
STACK_TEXT:<br><br>
WARNING: Stack unwind information not available. Following frames may be
wrong.<br>
f76f3234 8053d251 f76f3250 00000000 f76f32a4 nt+0x600fa<br>
f76f32a4 8052c712 badb0d00 20a0a0a1 f76f5658 nt+0x66251<br>
f76f3328 8052c793 41414141 00000000 f76f377c nt+0x55712<br>
f76f33a4 804fc700 f76f377c f76f3478 05050505 nt+0x55793<br><br>
..
f76f56d8 f7756a04 badb0d00 8055b256 00000000 nt+0x66251<br>
f76f576c 41414141 41414141 41414141 41414141 aswMon2+0xa04<br>
f76f5770 41414141 41414141 41414141 41414141 0x41414141<br>
f76f5774 41414141 41414141 41414141 41414141 0x41414141<br>
f76f5778 41414141 41414141 41414141 41414141 0x41414141<br>
f76f577c 41414141 41414141 41414141 41414141 0x41414141<br>
f76f5780 41414141 41414141 41414141 41414141 0x41414141<br>
..<br><br>
PoC:
https://www.evilfingers.com/advisory/Advisory/Avast_aswMon2.sys_kernel_memory_corruption_and_Local_Privilege_Escalation.php
Regards,
Giuseppe 'Evilcry' Bonfa'
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists