SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   avast! Vendors:   ALWIL Software
avast! 'aavmker4.sys' Kernel Driver Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1019732
SecurityTracker URL:  http://securitytracker.com/id/1019732
CVE Reference:   CVE-2008-1625   (Links to External Site)
Updated:  Apr 10 2008
Original Entry Date:  Mar 31 2008
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.7
Description:   A vulnerability was reported in avast!. A local user can obtain kernel level privileges on the target system.

A local user can supply a specially crafted IOCTL request to the 'aavmker4.sys' kernel driver to execute arbitrary commands on the target system with kernel privileges.

The 0xb2d60030 IOCTL call is affected.

The vendor was notified on March 16, 2008.

The original advisory is available at:

http://www.trapkit.de/advisories/TKADV2008-002.txt

Tobias Klein reported this vulnerability.

Impact:   A local user can obtain kernel level privileges on the target system.
Solution:   The vendor has issued a fixed version (4.8), available at:

http://www.avast.com/eng/download-avast-professional.html
http://www.avast.com/eng/download-avast-home.html

The vendor's advisory is available at:

http://www.avast.com/eng/avast-4-home_pro-revision-history.html

Vendor URL:  www.avast.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] [TKADV2008-002] avast! 4.7 aavmker4.sys Kernel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               avast! 4.7 aavmker4.sys Kernel Memory Corruption 
Advisory ID:            TKADV2008-002
Revision:               1.0
Release Date:           2008/03/30
Last Modified:          2008/03/30
Date Reported:          2008/03/16
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      avast! 4.7 Professional Edition
                        avast! 4.7 Home Edition
Remotely Exploitable:   No
Locally Exploitable:    Yes
Vendor URL:             http://www.avast.com
Vendor Status:          Vendor has released a fixed version
Patch development time: 13 days


======================
Vulnerability details:
======================

The kernel driver aavmker4.sys shipped with avast! 4.7 contains a vulnerability in 
the code that handles IOCTL requests. Exploitation of this vulnerability can result 
in:

1) local denial of service attacks (system crash due to a kernel panic), or

2) local execution of arbitrary code at the kernel level (complete system compromise)

The issue can be triggered by sending a specially crafted IOCTL request.

No special user rights are necessary to exploit the vulnerability.


======================
Technical description:
======================

The IOCTL call 0xb2d60030 of the aavmker4.sys kernel driver shipped with avast! 
4.7 accepts user supplied input that doesn't get validated enough. In consequence 
it is possible to overwrite arbitrary memory addresses with arbitrary values.

Disassembly of aavmker4.sys (version 4.7.1098.0):

[...]
.text:00010D28                 cmp     eax, 0B2D60030h  <-- (1)
.text:00010D2D                 jz      short loc_10DAB
[...]
.text:00010DAB loc_10DAB:                             
.text:00010DAB                 xor     edi, edi
.text:00010DAD                 cmp     byte_1240C, 0
.text:00010DB4                 jz      short loc_10DC9
[...]
.text:00010DC9 loc_10DC9:                         
.text:00010DC9                 mov     esi, [ebx+0Ch]  <-- (2)
.text:00010DCC                 cmp     [ebp+InputBufferLength], 878h  <-- (3)
.text:00010DD3                 jz      short loc_10DDF
[...]
.text:00010DDF
.text:00010DDF loc_10DDF:                            
.text:00010DDF                 mov     [ebp+var_4], edi
.text:00010DE2                 cmp     [esi], edi  <-- (4)
.text:00010DE4                 jz      short loc_10E34
.text:00010DE6                 mov     eax, [esi+870h]  <-- (5)
.text:00010DEC                 mov     [ebp+v38_uc], eax
.text:00010DEF                 cmp     dword ptr [eax], 0D0DEAD07h  <-- (6)
.text:00010DF5                 jnz     short loc_10E00
.text:00010DF7                 cmp     dword ptr [eax+4], 10BAD0BAh  <-- (7)
.text:00010DFE                 jz      short loc_10E06
[...]
.text:00010E06 loc_10E06: 
.text:00010E06                 xor     edx, edx
.text:00010E08                 mov     eax, [ebp+v38_uc]
.text:00010E0B                 mov     [eax], edx
.text:00010E0D                 mov     [eax+4], edx
.text:00010E10                 add     esi, 4  <-- (8)
.text:00010E13                 mov     ecx, 21Ah  <-- (9)
.text:00010E18                 mov     edi, [eax+18h]  <-- (10)
.text:00010E1B                 rep movsd  <-- (11)
[...]

 (1) Vulnerable IOCTL control code  
 (2) ESI now points to user controlled IOCTL input data
 (3) The size of the IOCTL input data must be 0x878
 (4) Minor check of the user supplied data
 (5) EAX now also points to the user controlled IOCTL input data
 (6) + (7) Minor checks of the user supplied data
 (8) The user supplied data (ESI) is used as source data for the following memcpy 
     function
 (9) The number of bytes that get copied by the following memcpy function (ECX)
(10) A user controlled memory address (EDI) is used as a destination for the 
     following memcpy function
(11) The memcpy function copies 0x21a bytes of user controlled data to a user 
     controlled memory address 

This can be exploited to control the kernel execution flow and to execute arbitrary 
code at the kernel level.


=========
Solution:
=========

Update to avast! 4.8 Professional Edition or avast! 4.8 Home Edition.

  - http://www.avast.com/eng/download-avast-professional.html
  - http://www.avast.com/eng/download-avast-home.html


========
History:
========

  2008/03/16 - Vendor notified using info@avast.com
  2008/03/17 - Vendor response with PGP key
  2008/03/18 - Detailed vulnerability information sent to the vendor 
  2008/03/19 - Vendor confirms the vulnerability
  2008/03/29 - Vendor releases updated version
  2008/03/30 - Full technical details released to general public


========
Credits:
========

  Vulnerability found and advisory written by Tobias Klein.


===========
References:
===========

  [1] http://www.avast.com/eng/avast-4-home_pro-revision-history.html

  [2] http://www.trapkit.de/advisories/TKADV2008-002.txt


========
Changes:
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use 
of this information constitutes acceptance for use in an AS IS 
condition. There are no warranties, implied or express, with regard 
to this information. In no event shall the author be liable for any 
direct or indirect damages whatsoever arising out of or in connection 
with the use or spread of this information. Any use of this 
information is at the user's own risk. 


==================
PGP Signature Key:
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc


Copyright 2008 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBR++EWpF8YHACG4RBEQKQ+ACgknAvgNWbSozd2x6nl+OCm2Xow0UAoL0N
Q2Nlb3TYjsNpgFAL/BF3ODUf
=7nKB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC