Avast Server Edition OOB Write Vulnerability

vendor:

Server Edition

by:

Google Security Research

9,8

CVSS

HIGH

Out-of-Bounds Write

787

CWE

Product Name: Server Edition

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

Avast Server Edition OOB Write Vulnerability

Avast Server Edition is vulnerable to an Out-of-Bounds Write vulnerability due to a lack of proper validation of user-supplied data. This vulnerability can be exploited by an attacker to execute arbitrary code on the vulnerable system. The vulnerability exists in the EmulatePolyCode() function of the engine.so library, which is used to process packed executables. The function does not properly validate user-supplied data, which can lead to an Out-of-Bounds Write. A proof-of-concept exploit is available.

Mitigation:

Upgrade to the latest version of Avast Server Edition.

Source

Exploit-DB raw data:

Source: https://code.google.com/p/google-security-research/issues/detail?id=554

The attached PEncrypt packed executable causes an OOB write on Avast Server Edition. 

(gdb) bt
#0  0xf6f5e64a in EmulatePolyCode(_POLY_INFO*, int) () from /proc/self/cwd/defs/15092301/engine.so
#1  0xf6f7d334 in pencryptMaybeUnpack(CFMap&, _PEEXE_INFO*, asw::root::CGenericFile*, _EXE_UNPACK_INFO*) () from /proc/self/cwd/defs/15092301/engine.so
#2  0xf6f75805 in CPackWinExec::packIsPacked(CFMap&, void**, ARCHIVE_UNPACKING_INFO*) () from /proc/self/cwd/defs/15092301/engine.so
#3  0xf6e8d1a2 in CAllPackers::IsPacked(CFMap&, _SARCHIVERANGE*, unsigned int, unsigned int, unsigned int, unsigned int, CObjectName const*, unsigned int*, unsigned int*, _PEEXE_INFO**) () from /proc/self/cwd/defs/15092301/engine.so
#4  0xf6e784ef in CScanInfo::ProcessPackingReal(CObjectName&, CFMap&, _VIRUSDATAARRAY*, int&, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so
#5  0xf6e78bdd in CScanInfo::ProcessPacking(CObjectName&, unsigned int, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so
#6  0xf6e74fbd in CScanInfo::ProcessArea(CObjectName&, unsigned int, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so
#7  0xf6e752af in CScanInfo::ProcessTopArea(CObjectName&, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so
#8  0xf6e7d6db in avfilesScanRealMulti () from /proc/self/cwd/defs/15092301/engine.so
#9  0xf6e81915 in avfilesScanReal () from /proc/self/cwd/defs/15092301/engine.so
#10 0x0805d2a5 in avfilesScanReal ()
#11 0x0805498c in engine_scan ()
(gdb) x/i $pc
=> 0xf6f5e64a <_Z15EmulatePolyCodeP10_POLY_INFOi+7194>:	mov    WORD PTR [edx],ax
(gdb) p/x $edx
$7 = 0xe73f181f
(gdb) p/x $ax
$8 = 0x1060

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38931.zip