124 lines
No EOL
3.6 KiB
Text
124 lines
No EOL
3.6 KiB
Text
1.Description:
|
|
|
|
The avipbb.sys kernel driver distributed with Avira Premium Security Suite
|
|
contains a race condition vulnerability in the handling paramaters of
|
|
NtCreatekey function.
|
|
Exploitation of this issue allows an attacker to crash system(make infamous
|
|
BSoD) or gain escalated priviligies.
|
|
An attacker would need local access to a vulnerable computer to exploit this
|
|
vulnerability.
|
|
|
|
|
|
Affected application: Avira Premium Security Suite, up to date version
|
|
10.0.0.565.
|
|
Affected file: avipbb.sys version 10.0.8.11.
|
|
|
|
2.Crash dump info:
|
|
kd> !analyze -v
|
|
*******************************************************************************
|
|
*
|
|
*
|
|
* Bugcheck
|
|
Analysis *
|
|
*
|
|
*
|
|
*******************************************************************************
|
|
|
|
PAGE_FAULT_IN_NONPAGED_AREA (50)
|
|
Invalid system memory was referenced. This cannot be protected by
|
|
try-except,
|
|
it must be protected by a Probe. Typically the address is just plain bad or
|
|
it
|
|
is pointing at freed memory.
|
|
Arguments:
|
|
Arg1: 90909090, memory referenced.
|
|
Arg2: 00000000, value 0 = read operation, 1 = write operation.
|
|
Arg3: 80536c53, If non-zero, the instruction address which referenced the
|
|
bad memory
|
|
address.
|
|
Arg4: 00000000, (reserved)
|
|
|
|
Debugging Details:
|
|
------------------
|
|
|
|
|
|
READ_ADDRESS: 90909090
|
|
|
|
FAULTING_IP:
|
|
nt!memmove+33
|
|
80536c53 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
|
|
|
|
MM_INTERNAL_CODE: 0
|
|
|
|
DEFAULT_BUCKET_ID: DRIVER_FAULT
|
|
|
|
BUGCHECK_STR: 0x50
|
|
|
|
PROCESS_NAME: hookfuzz.exe
|
|
|
|
TRAP_FRAME: f0711bec -- (.trap 0xfffffffff0711bec)
|
|
ErrCode = 00000000
|
|
eax=9090912a ebx=e1297088 ecx=00000026 edx=00000002 esi=90909090
|
|
edi=e1297088
|
|
eip=80536c53 esp=f0711c60 ebp=f0711c68 iopl=0 nv up ei pl nz ac pe
|
|
nc
|
|
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
|
|
efl=00010216
|
|
nt!memmove+0x33:
|
|
80536c53 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
|
|
Resetting default scope
|
|
|
|
LAST_CONTROL_TRANSFER: from 804f7b9d to 80527bdc
|
|
|
|
STACK_TEXT:
|
|
f0711728 804f7b9d 00000003 90909090 00000000
|
|
nt!RtlpBreakWithStatusInstruction
|
|
f0711774 804f878a 00000003 00000000 c0484848 nt!KiBugCheckDebugBreak+0x19
|
|
f0711b54 804f8cb5 00000050 90909090 00000000 nt!KeBugCheck2+0x574
|
|
f0711b74 8051cc4f 00000050 90909090 00000000 nt!KeBugCheckEx+0x1b
|
|
f0711bd4 8054051c 00000000 90909090 00000000 nt!MmAccessFault+0x8e7
|
|
f0711bd4 80536c53 00000000 90909090 00000000 nt!KiTrap0E+0xcc
|
|
f0711c68 80528107 e1297088 90909090 0000009a nt!memmove+0x33
|
|
f0711c88 f105f0c7 e1297078 0000009a 01762aec
|
|
nt!RtlAppendUnicodeStringToString+0x45
|
|
WARNING: Stack unwind information not available. Following frames may be
|
|
wrong.
|
|
f0711cd8 f105f4d3 00000000 0012fea0 f0711d08 avipbb+0x80c7
|
|
f0711d40 8053d638 0012fea8 00020019 0012feb0 avipbb+0x84d3
|
|
f0711d40 7c90e4f4 0012fea8 00020019 0012feb0 nt!KiFastCallEntry+0xf8
|
|
0012fe60 7c90d0dc 00401100 0012fea8 00020019 ntdll!KiFastSystemCallRet
|
|
0012fe64 00401100 0012fea8 00020019 0012feb0 ntdll!ZwCreateKey+0xc
|
|
0012ff70 0040158f 00000001 00342e28 00342e58 hookfuzz!wmain+0x100
|
|
0012ffc0 7c817067 bc27f626 01cb7b6b 7ffdf000
|
|
hookfuzz!__tmainCRTStartup+0x15e
|
|
0012fff0 00000000 004015e6 00000000 78746341 kernel32!BaseProcessStart+0x23
|
|
|
|
|
|
STACK_COMMAND: kb
|
|
|
|
FOLLOWUP_IP:
|
|
avipbb+80c7
|
|
f105f0c7 3bc6 cmp eax,esi
|
|
|
|
SYMBOL_STACK_INDEX: 8
|
|
|
|
SYMBOL_NAME: avipbb+80c7
|
|
|
|
FOLLOWUP_NAME: MachineOwner
|
|
|
|
MODULE_NAME: avipbb
|
|
|
|
IMAGE_NAME: avipbb.sys
|
|
|
|
DEBUG_FLR_IMAGE_TIMESTAMP: 4bfe7d8e
|
|
|
|
FAILURE_BUCKET_ID: 0x50_avipbb+80c7
|
|
|
|
BUCKET_ID: 0x50_avipbb+80c7
|
|
|
|
Followup: MachineOwner
|
|
---------
|
|
|
|
3.Proof of concept is in poc.zip file.
|
|
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15407.zip (poc.zip) |