Reported by: Kyriakos Economou (@kyREcon)
Date of Release: 17/02/2016
Affected Products: Multiple
Affected Version: <= v11.1.2245
Fixed Version: v11.1.2253
A heap overflow bug in the Avast Virtualization kernel mode driver (aswSnx.sys) allows a local attacker to elevate his privileges from any account type and execute code as SYSTEM.
Avast Internet Security v11.1.2245
Avast Pro Antivirus v11.1.2245
Avast Premier v11.1.2245
Avast Free Antivirus v11.1.2245
Earlier versions of these products are affected as well.
The Avast virtualization kernel mode driver (aswSnx.sys) does not validate the length of absolute Unicode file paths in some of the IOCTL requests that receives from userland, which are later copied on fixed length paged pool memory allocations.
This allows to corrupt a kernel object that the attacker controls, and execute code as SYSTEM.
kd> !pool a8f45816 Pool page a8f45816 region is Paged pool a8f45000 size: 418 previous size: 0 (Allocated) Dire (Protected) a8f45418 size: 3b8 previous size: 418 (Free) .... *a8f457d0 size: 418 previous size: 3b8 (Allocated) *SnxN a8f45be8 size: 418 previous size: 418 (Allocated) Dire (Protected)
Vendor Contacted: 23/12/2015
Public Disclosure: 17/02/2016