Friday, November 13, 2009

Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation

Advisory: Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation.

Version Affected: Product: Avast antivirus 4.8.1356.0 (other versions could be affected)
Vulnerable Compoonent: aswRdr.sys 4.8.1356.0 (avast! TDI RDR Driver)
Category: Local Denial of Service due to kernel memory corruption (BSOD)
(untested) Local Privilege Escalation

PoC Code: porting C++ 26/09/2009 Vendor Notify: 26/09/2009
Vendor Reply: 15/09/2009 Vendor Fix: 15/10/2009

Vulnerability Details:
Avast's aswRdr.sys Driver does not sanitize user supplied input IOCTL and this lead to Kernel Heap Overflow that propagates on the system with a BSOD and potential risk of Privilege Escalation.

Giuseppe 'Evilcry' Bonfa' (Project Manager,
E-Mail: evilcry {AT} GMAIL {DOT} COM
Additional credit: AbdulAziz Hariri from

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.


- EF

No comments: