CVE-2015-8620 – Avast Virtualization Driver – Elevation Of Privileges

CVE: CVE-2015-8620
Vendor: Avast
Reported by: Kyriakos Economou
Date of Release: 17/02/2016
Affected Products: Multiple
Affected Version: <= v11.1.2245
Fixed Version: v11.1.2253

Description:
A heap overflow bug in the Avast Virtualization kernel mode driver (aswSnx.sys) allows a local attacker to elevate his privileges from any account type and execute code as SYSTEM.

Affected Products:

Avast Internet Security v11.1.2245
Avast Pro Antivirus v11.1.2245
Avast Premier v11.1.2245
Avast Free Antivirus v11.1.2245

Earlier versions of these products are affected as well.

Technical Details:

The Avast virtualization kernel mode driver (aswSnx.sys) does not validate the length of absolute Unicode file paths in some of the IOCTL requests that receives from userland, which are later copied on fixed length paged pool memory allocations.
This allows to corrupt a kernel object that the attacker controls, and execute code as SYSTEM.

Example:

kd> !pool a8f45816
Pool page a8f45816 region is Paged pool
a8f45000 size: 418 previous size: 0 (Allocated) Dire (Protected)

a8f45418 size: 3b8 previous size: 418 (Free) ….

*a8f457d0 size: 418 previous size: 3b8 (Allocated) *SnxN

a8f45be8 size: 418 previous size: 418 (Allocated) Dire (Protected)

Further reading: https://www.nettitude.co.uk/exploiting-a-kernel-paged-pool-buffer-overflow-in-avast-virtualization-driver

Disclosure Log:
Vendor Contacted: 23/12/2015
Public Disclosure: 17/02/2016

Share