<<< Date Index >>>     <<< Thread Index >>>

[TKADV2008-002] avast! 4.7 aavmker4.sys Kernel Memory Corruption



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               avast! 4.7 aavmker4.sys Kernel Memory Corruption 
Advisory ID:            TKADV2008-002
Revision:               1.0
Release Date:           2008/03/30
Last Modified:          2008/03/30
Date Reported:          2008/03/16
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      avast! 4.7 Professional Edition
                        avast! 4.7 Home Edition
Remotely Exploitable:   No
Locally Exploitable:    Yes
Vendor URL:             http://www.avast.com
Vendor Status:          Vendor has released a fixed version
Patch development time: 13 days


======================
Vulnerability details:
======================

The kernel driver aavmker4.sys shipped with avast! 4.7 contains a vulnerability 
in 
the code that handles IOCTL requests. Exploitation of this vulnerability can 
result 
in:

1) local denial of service attacks (system crash due to a kernel panic), or

2) local execution of arbitrary code at the kernel level (complete system 
compromise)

The issue can be triggered by sending a specially crafted IOCTL request.

No special user rights are necessary to exploit the vulnerability.


======================
Technical description:
======================

The IOCTL call 0xb2d60030 of the aavmker4.sys kernel driver shipped with avast! 
4.7 accepts user supplied input that doesn't get validated enough. In 
consequence 
it is possible to overwrite arbitrary memory addresses with arbitrary values.

Disassembly of aavmker4.sys (version 4.7.1098.0):

[...]
.text:00010D28                 cmp     eax, 0B2D60030h  <-- (1)
.text:00010D2D                 jz      short loc_10DAB
[...]
.text:00010DAB loc_10DAB:                             
.text:00010DAB                 xor     edi, edi
.text:00010DAD                 cmp     byte_1240C, 0
.text:00010DB4                 jz      short loc_10DC9
[...]
.text:00010DC9 loc_10DC9:                         
.text:00010DC9                 mov     esi, [ebx+0Ch]  <-- (2)
.text:00010DCC                 cmp     [ebp+InputBufferLength], 878h  <-- (3)
.text:00010DD3                 jz      short loc_10DDF
[...]
.text:00010DDF
.text:00010DDF loc_10DDF:                            
.text:00010DDF                 mov     [ebp+var_4], edi
.text:00010DE2                 cmp     [esi], edi  <-- (4)
.text:00010DE4                 jz      short loc_10E34
.text:00010DE6                 mov     eax, [esi+870h]  <-- (5)
.text:00010DEC                 mov     [ebp+v38_uc], eax
.text:00010DEF                 cmp     dword ptr [eax], 0D0DEAD07h  <-- (6)
.text:00010DF5                 jnz     short loc_10E00
.text:00010DF7                 cmp     dword ptr [eax+4], 10BAD0BAh  <-- (7)
.text:00010DFE                 jz      short loc_10E06
[...]
.text:00010E06 loc_10E06: 
.text:00010E06                 xor     edx, edx
.text:00010E08                 mov     eax, [ebp+v38_uc]
.text:00010E0B                 mov     [eax], edx
.text:00010E0D                 mov     [eax+4], edx
.text:00010E10                 add     esi, 4  <-- (8)
.text:00010E13                 mov     ecx, 21Ah  <-- (9)
.text:00010E18                 mov     edi, [eax+18h]  <-- (10)
.text:00010E1B                 rep movsd  <-- (11)
[...]

 (1) Vulnerable IOCTL control code  
 (2) ESI now points to user controlled IOCTL input data
 (3) The size of the IOCTL input data must be 0x878
 (4) Minor check of the user supplied data
 (5) EAX now also points to the user controlled IOCTL input data
 (6) + (7) Minor checks of the user supplied data
 (8) The user supplied data (ESI) is used as source data for the following 
memcpy 
     function
 (9) The number of bytes that get copied by the following memcpy function (ECX)
(10) A user controlled memory address (EDI) is used as a destination for the 
     following memcpy function
(11) The memcpy function copies 0x21a bytes of user controlled data to a user 
     controlled memory address 

This can be exploited to control the kernel execution flow and to execute 
arbitrary 
code at the kernel level.


=========
Solution:
=========

Update to avast! 4.8 Professional Edition or avast! 4.8 Home Edition.

  - http://www.avast.com/eng/download-avast-professional.html
  - http://www.avast.com/eng/download-avast-home.html


========
History:
========

  2008/03/16 - Vendor notified using info@xxxxxxxxx
  2008/03/17 - Vendor response with PGP key
  2008/03/18 - Detailed vulnerability information sent to the vendor 
  2008/03/19 - Vendor confirms the vulnerability
  2008/03/29 - Vendor releases updated version
  2008/03/30 - Full technical details released to general public


========
Credits:
========

  Vulnerability found and advisory written by Tobias Klein.


===========
References:
===========

  [1] http://www.avast.com/eng/avast-4-home_pro-revision-history.html

  [2] http://www.trapkit.de/advisories/TKADV2008-002.txt


========
Changes:
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use 
of this information constitutes acceptance for use in an AS IS 
condition. There are no warranties, implied or express, with regard 
to this information. In no event shall the author be liable for any 
direct or indirect damages whatsoever arising out of or in connection 
with the use or spread of this information. Any use of this 
information is at the user's own risk. 


==================
PGP Signature Key:
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc


Copyright 2008 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBR++EWpF8YHACG4RBEQKQ+ACgknAvgNWbSozd2x6nl+OCm2Xow0UAoL0N
Q2Nlb3TYjsNpgFAL/BF3ODUf
=7nKB
-----END PGP SIGNATURE-----