-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: avast! 4.7 aavmker4.sys Kernel Memory Corruption Advisory ID: TKADV2008-002 Revision: 1.1 Release Date: 2008/03/30 Last Modified: 2008/12/20 Date Reported: 2008/03/16 Author: Tobias Klein (tk at trapkit.de) Affected Software: avast! 4.7 Professional Edition avast! 4.7 Home Edition Remotely Exploitable: No Locally Exploitable: Yes Vendor URL: http://www.avast.com Vendor Status: Vendor has released a fixed version CVE-ID: CVE-2008-1625 Patch development time: 13 days ====================== Vulnerability details: ====================== The kernel driver aavmker4.sys shipped with avast! 4.7 contains a vulnerability in the code that handles IOCTL requests. Exploitation of this vulnerability can result in: 1) local denial of service attacks (system crash due to a kernel panic), or 2) local execution of arbitrary code at the kernel level (complete system compromise) The issue can be triggered by sending a specially crafted IOCTL request. No special user rights are necessary to exploit the vulnerability. ====================== Technical description: ====================== The IOCTL call 0xb2d60030 of the aavmker4.sys kernel driver shipped with avast! 4.7 accepts user supplied input that doesn't get validated enough. In consequence it is possible to overwrite arbitrary memory addresses with arbitrary values. Disassembly of aavmker4.sys (version 4.7.1098.0): [...] .text:00010D28 cmp eax, 0B2D60030h <-- (1) .text:00010D2D jz short loc_10DAB [...] .text:00010DAB loc_10DAB: .text:00010DAB xor edi, edi .text:00010DAD cmp byte_1240C, 0 .text:00010DB4 jz short loc_10DC9 [...] .text:00010DC9 loc_10DC9: .text:00010DC9 mov esi, [ebx+0Ch] <-- (2) .text:00010DCC cmp [ebp+InputBufferLength], 878h <--(3) .text:00010DD3 jz short loc_10DDF [...] .text:00010DDF .text:00010DDF loc_10DDF: .text:00010DDF mov [ebp+var_4], edi .text:00010DE2 cmp [esi], edi <-- (4) .text:00010DE4 jz short loc_10E34 .text:00010DE6 mov eax, [esi+870h] <-- (5) .text:00010DEC mov [ebp+v38_uc], eax .text:00010DEF cmp dword ptr [eax], 0D0DEAD07h <-- (6) .text:00010DF5 jnz short loc_10E00 .text:00010DF7 cmp dword ptr [eax+4], 10BAD0BAh <-- (7) .text:00010DFE jz short loc_10E06 [...] .text:00010E06 loc_10E06: .text:00010E06 xor edx, edx .text:00010E08 mov eax, [ebp+v38_uc] .text:00010E0B mov [eax], edx .text:00010E0D mov [eax+4], edx .text:00010E10 add esi, 4 <-- (8) .text:00010E13 mov ecx, 21Ah <-- (9) .text:00010E18 mov edi, [eax+18h] <-- (10) .text:00010E1B rep movsd <-- (11) [...] (1) Vulnerable IOCTL control code (2) ESI now points to user controlled IOCTL input data (3) The size of the IOCTL input data must be 0x878 (4) Minor check of the user supplied data (5) EAX now also points to the user controlled IOCTL input data (6) + (7) Minor checks of the user supplied data (8) The user supplied data (ESI) is used as source data for the following memcpy function (9) The number of bytes that get copied by the following memcpy function (ECX) (10) A user controlled memory address (EDI) is used as a destination for the following memcpy function (11) The memcpy function copies 0x21a bytes of user controlled data to a user controlled memory address This can be exploited to control the kernel execution flow and to execute arbitrary code at the kernel level. ========= Solution: ========= Update to avast! 4.8 Professional Edition or avast! 4.8 Home Edition. - http://www.avast.com/eng/download-avast-professional.html - http://www.avast.com/eng/download-avast-home.html ======== History: ======== 2008/03/16 - Vendor notified using info@avast.com 2008/03/17 - Vendor response with PGP key 2008/03/18 - Detailed vulnerability information sent to the vendor 2008/03/19 - Vendor confirms the vulnerability 2008/03/29 - Vendor releases updated version 2008/03/30 - Full technical details released to general public ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://www.avast.com/eng/avast-4-home_pro-revision-history.html [2] http://www.trapkit.de/advisories/TKADV2008-002.txt [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1625 ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release Revision 1.1 - CVE-ID added =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2008 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Charset: utf-8 wj8DBQFJTRDkkXxgcAIbhEERAjnnAKDg524FvBVOZAIb9ZZdtjyQ7zDPIwCgkXJq 9YW252sQ4pKqrvEcqhcwKMI= =/755 -----END PGP SIGNATURE-----