CVE-2016-4025 – Avast SandBox Escape via IOCTL Requests

CVE: CVE-2016-4025
Vendor: Avast
Reported by: Kyriakos Economou (@kyREcon)
Date of Release: 19/04/2016
Affected Products: Multiple
Affected Version: Multiple
Fixed Version: N/A

Advisory
A design flaw in Avast Sandbox allows a potentially harmful program to escape the sandbox and infect the host by dropping its files out of it and/or by modifying existing legitimate files of any type.

Affected Products
Avast Internet Security v11.x.x
Avast Pro Antivirus v11.x.x
Avast Premier v11.x.x
Avast Free Antivirus v11.x.x

Avast Business Security v11.x.x

Avast Endpoint Protection v8.x.x
Avast Endpoint Protection Plus v8.x.x
Avast Endpoint Protection Suite v8.x.x
Avast Endpoint Protection Suite Plus v8.x.x
Avast File Server Security v8.x.x
Avast Email Server Security v8.x.x

Earlier and latest versions of these products are currently affected.

Technical Details
The Avast virtualization kernel mode driver (aswSnx.sys) handles specific IOCTL requests sent through the snxhk.dll module which is automatically loaded in the address space of all sandboxed processes. One of the features that this module attempts to provide, is to recognize user interaction with the GUI of the sandboxed application which facilitates saving a file out of the sandboxed process. For example, a user can still save a txt file out of a notepad.exe sandboxed process by navigating through the menu to the ‘Save as’ dialogue box of the application. The design flaw consists in the fact that there is no further authentication from the kernel driver itself with regards to the IOCTL requests, in order to verify that releasing a file out of the sandbox it is indeed an authorised action performed by the user. This vulnerability can be exploited by a malicious application in order to infect the host by dropping its files and/or infect existing legitimate files of any type without requiring user interaction. A ransomware that exploits this vulnerability will be able to encrypt all the targetted files while its process will be running in the sandbox. This vulnerability is critical since it totally breaks the purpose of the Sandbox protection and other features, such as DeepScreen, that rely on this.

References
Nettitude – Write-up  (PDF)

Disclosure Log

Vendor Contacted: 01/11/2015
Request for Feedback: 23/11/2015
Request for Feedback: 01/04/2016
Public Disclosure: 19/04/2016

All Rights R3v3rs3d