1.Description:

The avipbb.sys kernel driver distributed with Avira Premium Security Suite
contains a race condition vulnerability in the handling paramaters of
NtCreatekey function.
Exploitation of this issue allows an attacker to crash system(make infamous
BSoD) or gain escalated priviligies.
An attacker would need local access to a vulnerable computer to exploit this
vulnerability.


Affected application: Avira Premium Security Suite, up to date version
10.0.0.565.
Affected file: avipbb.sys version 10.0.8.11.

2.Crash dump info:
kd> !analyze -v
*******************************************************************************
*
*
*                        Bugcheck
Analysis                                    *
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by
try-except,
it must be protected by a Probe.  Typically the address is just plain bad or
it
is pointing at freed memory.
Arguments:
Arg1: 90909090, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80536c53, If non-zero, the instruction address which referenced the
bad memory
    address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


READ_ADDRESS:  90909090

FAULTING_IP:
nt!memmove+33
80536c53 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE:  0

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  hookfuzz.exe

TRAP_FRAME:  f0711bec -- (.trap 0xfffffffff0711bec)
ErrCode = 00000000
eax=9090912a ebx=e1297088 ecx=00000026 edx=00000002 esi=90909090
edi=e1297088
eip=80536c53 esp=f0711c60 ebp=f0711c68 iopl=0         nv up ei pl nz ac pe
nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000
efl=00010216
nt!memmove+0x33:
80536c53 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER:  from 804f7b9d to 80527bdc

STACK_TEXT:
f0711728 804f7b9d 00000003 90909090 00000000
nt!RtlpBreakWithStatusInstruction
f0711774 804f878a 00000003 00000000 c0484848 nt!KiBugCheckDebugBreak+0x19
f0711b54 804f8cb5 00000050 90909090 00000000 nt!KeBugCheck2+0x574
f0711b74 8051cc4f 00000050 90909090 00000000 nt!KeBugCheckEx+0x1b
f0711bd4 8054051c 00000000 90909090 00000000 nt!MmAccessFault+0x8e7
f0711bd4 80536c53 00000000 90909090 00000000 nt!KiTrap0E+0xcc
f0711c68 80528107 e1297088 90909090 0000009a nt!memmove+0x33
f0711c88 f105f0c7 e1297078 0000009a 01762aec
nt!RtlAppendUnicodeStringToString+0x45
WARNING: Stack unwind information not available. Following frames may be
wrong.
f0711cd8 f105f4d3 00000000 0012fea0 f0711d08 avipbb+0x80c7
f0711d40 8053d638 0012fea8 00020019 0012feb0 avipbb+0x84d3
f0711d40 7c90e4f4 0012fea8 00020019 0012feb0 nt!KiFastCallEntry+0xf8
0012fe60 7c90d0dc 00401100 0012fea8 00020019 ntdll!KiFastSystemCallRet
0012fe64 00401100 0012fea8 00020019 0012feb0 ntdll!ZwCreateKey+0xc
0012ff70 0040158f 00000001 00342e28 00342e58 hookfuzz!wmain+0x100
0012ffc0 7c817067 bc27f626 01cb7b6b 7ffdf000
hookfuzz!__tmainCRTStartup+0x15e
0012fff0 00000000 004015e6 00000000 78746341 kernel32!BaseProcessStart+0x23


STACK_COMMAND:  kb

FOLLOWUP_IP:
avipbb+80c7
f105f0c7 3bc6            cmp     eax,esi

SYMBOL_STACK_INDEX:  8

SYMBOL_NAME:  avipbb+80c7

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: avipbb

IMAGE_NAME:  avipbb.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4bfe7d8e

FAILURE_BUCKET_ID:  0x50_avipbb+80c7

BUCKET_ID:  0x50_avipbb+80c7

Followup: MachineOwner
---------

3.Proof of concept is in poc.zip file.

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15407.zip (poc.zip)