CVE-2015-8620 – Avast Virtualization Driver – Elevation Of Privileges

CVE: CVE-2015-8620
Vendor: Avast
Reported by: Kyriakos Economou (@kyREcon)
Date of Release: 17/02/2016
Affected Products: Multiple
Affected Version: <= v11.1.2245
Fixed Version: v11.1.2253

Advisory
A heap overflow bug in the Avast Virtualization kernel mode driver (aswSnx.sys) allows a local attacker to elevate his privileges from any account type and execute code as SYSTEM.

Affected Products
Avast Internet Security v11.1.2245
Avast Pro Antivirus v11.1.2245
Avast Premier v11.1.2245
Avast Free Antivirus v11.1.2245

Earlier versions of these products are affected as well.

Technical Details
The Avast virtualization kernel mode driver (aswSnx.sys) does not validate the length of absolute Unicode file paths in some of the IOCTL requests that receives from userland, which are later copied on fixed length paged pool memory allocations.
This allows to corrupt a kernel object that the attacker controls, and execute code as SYSTEM.

Example:

kd> !pool a8f45816
Pool page a8f45816 region is Paged pool
a8f45000 size: 418 previous size: 0 (Allocated) Dire (Protected)
a8f45418 size: 3b8 previous size: 418 (Free) ....
*a8f457d0 size: 418 previous size: 3b8 (Allocated) *SnxN
a8f45be8 size: 418 previous size: 418 (Allocated) Dire (Protected)

Disclosure Log
Vendor Contacted: 23/12/2015
Public Disclosure: 17/02/2016

References
Nettitude – Write-up (PDF)

The A.R.F Project©

CVE-2015-8620 – Avast Virtualization Driver – Elevation Of Privileges

All Rights R3v3rs3d