Advisory: Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation.

---------------------------------------------------
Advisory: Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation.

Version Affected: Product: Avast antivirus 4.8.1351.0 (other versions could be affected)
Affected Component: aswMon2.sys 4.8.1351.0
Category: Local Denial of Service due to kernel memory corruption (BSOD)
(untested) Local Privilege Escalation

Discover Date: Sep 13, 2009 PoC Code: Sep 13, 2009
Vendor Notify: Sep 15,2009 Vendor Reply: Sep 15, 2009

Description:
Avast's aswMon2.sys Driver does not sanitize user supplied input IOCTL) and this lead to a kernel memory corruption that propagates on the system with a BSOD and potential risk of Privilege Escalation.

00010F70 cmp [ebp+arg_C], 288h ;InBuff Len no other checks performed
00010F77 jnz loc_111AC
00010F7D mov esi, [ebp+SourceString]
00010F80 cmp [esi], ebx
00010F82 mov [ebp+arg_C], ebx

[Scroll down for more details...]

Credit:
Giuseppe 'Evilcry' Bonfa' (Project Manager, www.EvilFingers.com)
E-Mail: evilcry {AT} GMAIL {DOT} COM
Website: http://evilcry.netsons.org, http://evilcodecave.blogspot.com
http://evilcodecave.wordpress.com

Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
---------------------------------------------------

Click here to read the entire advisory & PoC.

- EF