[NT] Avast Antivirus Device Driver Memory Overwriting Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 05/29/05
- Previous message: SecuriTeam: "[EXPL] Meteor FTP Server Buffer Overflow (username)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 29 May 2005 18:48:51 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Avast Antivirus Device Driver Memory Overwriting Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.avast.com> Avast Antivirus is "very common antivirus software
package with a big worldwide userbase".
A device driver memory overwriting vulnerability has been discovered in
Avast Antivirus. Successful exploitation allows attacker to obtain full
system control (ring0 privileges).
DETAILS
The vulnerability is caused by lack of bounds checking procedure in the
device driver. By sending special signal(s) together with a specially
crafted input buffer attackers can force Avast Asynchronous Virus Monitor
to overwrite specified memory with data provided by the attacker.
Here is the one of vulnerable codes:
(DISASSEMBLY OF Aavmker4 DEVICE DRIVER)
text:00010901 loc_10901: ; CODE XREF:
; sub_10604+2A8j
text:00010901 mov eax, [ebx+0Ch] ; eax=input buffer
text:00010904 xor edx, edx ; edx=0
text:00010906 mov [ebp+var_8], eax; store
text:00010909 cmp [eax], edx ; input buffer == 0?
text:0001090B jz short loc_10966 ; if so -> exit
text:0001090D mov edi, [eax+870h] ; edi=addres from
; input buffer+870h
text:00010913 lea esi, [eax+4] ; esi=ptr to input
; buffer+4
text:00010916 mov ecx, 21Ah ; ecx=21Ah size to
; copy (const)
text:0001091B rep movsd ; copy
Sending the input buffer written below:
input_buff:
db "YOU!"
db 86Ch dup (90h) ; source memory (ESI)
dd 1234567h ; destination address
db "GONDIE"
Forces Avast device driver to write data from "source memory" to
destination address (here 1234567h).
ADDITIONAL INFORMATION
The information has been provided by <mailto:bania.piotr@gmail.com> Piotr
Bania.
The original article can be found at:
<http://pb.specialised.info/all/adv/avast-adv.txt>
http://pb.specialised.info/all/adv/avast-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Meteor FTP Server Buffer Overflow (username)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
