Avast 11.1.2245 Heap Overflow

2016.02.23
Credit: Kyriakos Economou
Risk: High
Local: Yes
Remote: No
CVE: CVE-2015-8620
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

* CVE: CVE-2015-8620 * Vendor: Avast * Reported by: Kyriakos Economou * Date of Release: 17/02/2016 * Affected Products: Multiple * Affected Version: <= v11.1.2245 * Fixed Version: v11.1.2253 Description: A heap overflow bug in the Avast Virtualization kernel mode driver (aswSnx.sys) allows a local attacker to elevate his privileges from any account type and execute code as SYSTEM. Affected Products: Avast Internet Security v11.1.2245 Avast Pro Antivirus v11.1.2245 Avast Premier v11.1.2245 Avast Free Antivirus v11.1.2245 Earlier versions of these products are affected as well. Technical Details: The Avast virtualization kernel mode driver (aswSnx.sys) does not validate the length of absolute Unicode file paths in some of the IOCTL requests that receives from userland, which are later copied on fixed length paged pool memory allocations. This allows to corrupt a kernel object that the attacker controls, and execute code as SYSTEM. Example: kd> !pool a8f45816 Pool page a8f45816 region is Paged pool a8f45000 size: 418 previous size: 0 (Allocated) Dire (Protected) <--- object controlled by the attacker a8f45418 size: 3b8 previous size: 418 (Free) .... *a8f457d0 size: 418 previous size: 3b8 (Allocated) *SnxN <--- attacker overflows this chunk a8f45be8 size: 418 previous size: 418 (Allocated) Dire (Protected) <--- object controlled by the attacker Further reading: https://www.nettitude.co.uk/exploiting-a-kernel-paged-pool-buffer-overflow-in-avast-virtualization-driver Disclosure Log: Vendor Contacted: 23/12/2015 Public Disclosure: 17/02/2016 Copyright: Copyright (c) Nettitude Limited 2016, All rights reserved worldwide. Disclaimer: The information herein contained may change without notice. Any use of this information is at the user's risk and discretion and is provided with no warranties. Nettitude and the author cannot be held liable for any impact resulting from the use of this information. Kyriakos Economou Vulnerability Researcher [logo]<http://www.nettitude.co.uk/> P +44 (0) 845 520 0085 ext 1189 F +448455 200 222 keconomou@nettitude.com<mailto:keconomou@nettitude.com%0d> www.nettitude.co.uk<http://www.nettitude.co.uk/> Nettitude NEWS #Nettitude awarded MSSP of the Year by LogRhythm #Nettitude features on NBC<http://www.nettitude.com/nbc-interview/> [Nettitude Awards]<http://www.nettitude.com/> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nettitude Limited: 1 Jephson Court * Tancred Close * Leamington Spa * Warwickshire * CV31 3RZ Nettitude Inc: 85 Broad Street * 17th Floor * New York * NY10004 * EIN No.36-4694227 Twitter<https://twitter.com/Nettitude_com> * LinkedIn<http://uk.linkedin.com/company/nettitude-group> * Google Plus<https://plus.google.com/+Nettitude-penetrationtesting/posts> * FaceBook<https://www.facebook.com/Nettitude> * YouTube<http://www.youtube.com/channel/UCRUUESU5OTfRte0P-pm2MZQ> * Threat2Alert<http://www.threat2alert.com/> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LOVE REFERRALS - please pass our contact details on solutions@nettitude.com<mailto:solutions@nettitude.com>. Thank you! ______________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Nettitude employ a secure email policy for sending emails to customers. Should your email service support ESMTP, you will likely have received this email over TLS. We also utilise a backup secure service via Cisco Registered Envelope Service. For more information visit https://res.cisco.com/websafe/about This footnote also confirms that this email message has been swept by a content checking tool for the presence of computer viruses. Nettitude Limited is a Company registered in England Registered Address Nettitude Limited, 1 Jephson Court, Tancred Close, Leamington Spa, Warwickshire, CV31 3RZ Company Registration Number: 4705154 VAT Number: 184 5171 96 www.nettitude.com ______________________________________________________________________


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top