SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   AVG Anti-Virus Vendors:   Grisoft
AVG Anti-Virus avg7core.sys Driver Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1018362
SecurityTracker URL:  http://securitytracker.com/id/1018362
CVE Reference:   CVE-2007-3777   (Links to External Site)
Updated:  May 6 2008
Original Entry Date:  Jul 11 2007
Impact:   Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 7.5.0.476
Description:   A vulnerability was reported in AVG Anti-Virus. A local user can obtain system privileges.

A local user can exploit a flaw in the 'avg7core.sys' driver to write arbitrary data to kernel memory. One of the IOCTLs (0x5348E004) allows user mode data to be copied to an arbitrary address without proper validation.

The vendor was notified on April 13, 2007.

Jonathan Lindsay of NGSSoftware Insight Security Research discovered this vulnerability.

Impact:   A local user can modify arbitrary memory locations with kernel level privileges on the target system.
Solution:   The vendor has issued a fixed version (AVG 7.5 build 476, core service version 7.5.0.476).
Vendor URL:  www.grisoft.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  11 Jul 2007 12:55:06 -0000
Subject:  Advisory: Arbitrary kernel mode memory writes in AVG

=======
Summary
=======
Name: Arbitrary kernel mode memory writes in AVG Antivirus
Release Date: 10 July 2007
Reference: NGS00500
Discover: Jonathan Lindsay <john-lindsay ngssoftware com>
Vendor: Grisoft
Vendor Reference: N/A
Systems Affected: Windows NT based systems
Risk: High
Status: Fixed

========
TimeLine
========
Discovered: 13 April 2007
Released: 13 April 2007
Approved: 22 May 2007
Reported: 13 April 2007
Fixed: 9 July 2007
Published: 10 July 2007

===========
Description
===========
The AVG Antivirus core kernel mode service driver (avg7core.sys) provides
functionality that under a default install allows an unprivileged user to
write arbitrary data to arbitrary addresses. This service provides the
core detection (and probably disinfection) for the product. This issue has
been verified as affecting AVG Free 7.5.446 and AVG Antivirus 7.5.448. The
version of avg7core.sys in question is 7.5.0.444.

The driver supports two IOCTLs in its generic DeviceIoControl handler. One
of these IOCTLs (0x5348E004) is used to get the core driver to perform
privileged functions on behalf of the user mode component; 52 different
functions are supported, and one of these is designed to copy arbitrary
data from addresses taken unchecked from the user mode application.

As the kernel mode service is started upon system start (as it is
necessary for on-access scanning), and it is accessible as read/write to
Everyone, any user can then use this functionality to overwrite arbitrary
kernel code or data.

=================
Technical Details
=================
The AVG Antivirus core kernel mode service driver (avg7core.sys) provides
functionality that under a default install allows an unprivileged user to
write arbitrary data to arbitrary addresses. This service provides the
core detection (and probably disinfection) for the product. This issue has
been verified as affecting AVG Free 7.5.446 and AVG Antivirus 7.5.448. The
version of avg7core.sys in question is 7.5.0.444.

The driver supports two IOCTLs in its generic DeviceIoControl handler. One
of these IOCTLs (0x5348E004) is used to get the core driver to perform
privileged functions on behalf of the user mode component; 52 different
functions are supported, and one of these is designed to copy arbitrary
data from addresses taken unchecked from the user mode application.

As the kernel mode service is started upon system start (as it is
necessary for on-access scanning), and it is acessible as read/write to
Everyone, any user can then use this functionality to overwrite arbitrary
kernel code or data.

The internal function in question is the fifth in the internal switch
table and therefore referenced with an index of four. Internal to this
function, a parameter specifies the type of copy to be performed. Using
a value of five will cause a segment of one buffer to be copied to an
arbitrary address. The data structures involved are convoluted, and are
unlikely to be discovered by a brute-force attempt to attack the service
(such as using a fuzzer); additionally, although a lot of pointers are
taken unvalidated from a user mode buffer, the entire dispatch processing
function is wrapped in a try/catch block.

===============
Fix Information
===============
For the request in this case, the buffer contents are validated with
respect to their usage before being passed on to the subfunction that
implements 52 privileged functions. The particular case used in the POC
code results in STATUS_NOT_IMPLEMENTED being returned, before the IRP
being completed. This fix has been implemented in AVG 7.5 build 476, core
service version 7.5.0.476.

The updated versions of AVG Antivirus can be downloaded from:

http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=aff
http://www.grisoft.com/doc/31/us/crp/0?prd=avw

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC