Vigil@nce: Avast, privilege elevation with aswMon2.sys
October 2009 by Vigil@nce
A local attacker can generate an overflow in the aswMon2.sys
driver installed by Avast, in order to stop the system, or to
execute privileged code.
– Severity: 2/4
– Consequences: administrator access/rights, denial of service of
computer
– Provenance: user shell
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: unique source (2/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 24/09/2009
IMPACTED PRODUCTS
– Avast antivirus
DESCRIPTION OF THE VULNERABILITY
The Avast! Antivirus installs the aswMon2.sys driver to monitor
the system and to scan files on the fly.
The IOCTL 0xB2C80018 of aswMon2.sys does not check the size of the
data structure provided as input. An attacker can therefore use a
long size in order to generate an overflow.
A local attacker can thus stop the system, or execute privileged
code.
CHARACTERISTICS
– Identifiers: BID-36507, VIGILANCE-VUL-9047
– Url: http://vigilance.fr/vulnerability/Avast-privilege-elevation-with-aswMon2-sys-9047