‘Avast Antivirus Device Driver Memory Overwriting Vulnerability’


Avast Antivirus is ‘very common antivirus software package with a big worldwide userbase’.

A device driver memory overwriting vulnerability has been discovered in Avast Antivirus. Successful exploitation allows attacker to obtain full system control (ring0 privileges).’


‘The information has been provided by Piotr Bania.
The original article can be found at: http://pb.specialised.info/all/adv/avast-adv.txt


‘The vulnerability is caused by lack of bounds checking procedure in the device driver. By sending special signal(s) together with a specially crafted input buffer attackers can force Avast Asynchronous Virus Monitor to overwrite specified memory with data provided by the attacker.

Here is the one of vulnerable codes:
.text:00010901 loc_10901: ; CODE XREF:
; sub_10604+2A8j
.text:00010901 mov eax, [ebx+0Ch] ; eax=input buffer
.text:00010904 xor edx, edx ; edx=0
.text:00010906 mov [ebp+var_8], eax; store
.text:00010909 cmp [eax], edx ; input buffer == 0?
.text:0001090B jz short loc_10966 ; if so -> exit
.text:0001090D mov edi, [eax+870h] ; edi=addres from
; input buffer+870h
.text:00010913 lea esi, [eax+4] ; esi=ptr to input
; buffer+4
.text:00010916 mov ecx, 21Ah ; ecx=21Ah size to
; copy (const)
.text:0001091B rep movsd ; copy

Sending the input buffer written below:
db ‘YOU!’
db 86Ch dup (90h) ; source memory (ESI)
dd 1234567h ; destination address

Forces Avast device driver to write data from ‘source memory’ to destination address (here 1234567h).’

Categories: Windows