Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0534 -- [Win] Grisoft AVG Anti-Virus local privilege exploit 18 July 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Grisoft AVG Anti-Virus Grisoft AVG Anti-Virus Free Edition Publisher: NGSSoftware Operating System: Windows Impact: Administrator Compromise Access: Existing Account CVE Names: CVE-2007-3777 Original Bulletin: http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-avg-antivirus/ - --------------------------BEGIN INCLUDED TEXT-------------------- ======= Summary ======= Name: Arbitrary kernel mode memory writes in AVG Antivirus Release Date: 10 July 2007 Reference: NGS00500 Discover: Jonathan Lindsay <john-lindsay ngssoftware com> Vendor: Grisoft Vendor Reference: N/A Systems Affected: Windows NT based systems Risk: High Status: Fixed ======== TimeLine ======== Discovered: 13 April 2007 Released: 13 April 2007 Approved: 22 May 2007 Reported: 13 April 2007 Fixed: 9 July 2007 Published: 10 July 2007 =========== Description =========== The AVG Antivirus core kernel mode service driver (avg7core.sys) provides functionality that under a default install allows an unprivileged user to write arbitrary data to arbitrary addresses. This service provides the core detection (and probably disinfection) for the product. This issue has been verified as affecting AVG Free 7.5.446 and AVG Antivirus 7.5.448. The version of avg7core.sys in question is 7.5.0.444. The driver supports two IOCTLs in its generic DeviceIoControl handler. One of these IOCTLs (0x5348E004) is used to get the core driver to perform privileged functions on behalf of the user mode component; 52 different functions are supported, and one of these is designed to copy arbitrary data from addresses taken unchecked from the user mode application. As the kernel mode service is started upon system start (as it is necessary for on-access scanning), and it is accessible as read/write to Everyone, any user can then use this functionality to overwrite arbitrary kernel code or data. ================= Technical Details ================= The AVG Antivirus core kernel mode service driver (avg7core.sys) provides functionality that under a default install allows an unprivileged user to write arbitrary data to arbitrary addresses. This service provides the core detection (and probably disinfection) for the product. This issue has been verified as affecting AVG Free 7.5.446 and AVG Antivirus 7.5.448. The version of avg7core.sys in question is 7.5.0.444. The driver supports two IOCTLs in its generic DeviceIoControl handler. One of these IOCTLs (0x5348E004) is used to get the core driver to perform privileged functions on behalf of the user mode component; 52 different functions are supported, and one of these is designed to copy arbitrary data from addresses taken unchecked from the user mode application. As the kernel mode service is started upon system start (as it is necessary for on-access scanning), and it is acessible as read/write to Everyone, any user can then use this functionality to overwrite arbitrary kernel code or data. The internal function in question is the fifth in the internal switch table and therefore referenced with an index of four. Internal to this function, a parameter specifies the type of copy to be performed. Using a value of five will cause a segment of one buffer to be copied to an arbitrary address. The data structures involved are convoluted, and are unlikely to be discovered by a brute-force attempt to attack the service (such as using a fuzzer); additionally, although a lot of pointers are taken unvalidated from a user mode buffer, the entire dispatch processing function is wrapped in a try/catch block. =============== Fix Information =============== For the request in this case, the buffer contents are validated with respect to their usage before being passed on to the subfunction that implements 52 privileged functions. The particular case used in the POC code results in STATUS_NOT_IMPLEMENTED being returned, before the IRP being completed. This fix has been implemented in AVG 7.5 build 476, core service version 7.5.0.476. The updated versions of AVG Antivirus can be downloaded from: http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=aff http://www.grisoft.com/doc/31/us/crp/0?prd=avw NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRp1dJyh9+71yA2DNAQKl7AP8CMCVDM2eVRc9q03UKzbk5QTsRhjxN5Bu 7CGOw2if+Z/GkF/j/gTzQjsDvs+p7rcfujqzpJlqUYvcwLHSOWvzRYGJuSM1NDeM 9+9hS8shXi0dWn2rZ/Zp7Jndk931K8bconFYnD/0cVIp0m8m/A7ymjm1oSje+f4U sf6I8OJ4KA4= =+kge -----END PGP SIGNATURE-----