1.Description:
The avipbb.sys kernel driver distributed with Avira Premium Security Suite contains a race condition vulnerability in the handling paramaters of NtCreatekey function. Exploitation of this issue allows an attacker to crash system(make infamous BSoD) or gain escalated priviligies. An attacker would need local access to a vulnerable computer to exploit this vulnerability.
Affected application: Avira Premium Security Suite, up to date version 10.0.0.565. Affected file: avipbb.sys version 10.0.8.11.
2.Crash dump info: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * *******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: 90909090, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 80536c53, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved)
Debugging Details: ------------------
READ_ADDRESS: 90909090
FAULTING_IP: nt!memmove+33 80536c53 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: hookfuzz.exe
TRAP_FRAME: f0711bec -- (.trap 0xfffffffff0711bec) ErrCode = 00000000 eax=9090912a ebx=e1297088 ecx=00000026 edx=00000002 esi=90909090 edi=e1297088 eip=80536c53 esp=f0711c60 ebp=f0711c68 iopl=0 nv up ei pl nz ac pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010216 nt!memmove+0x33: 80536c53 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] Resetting default scope
LAST_CONTROL_TRANSFER: from 804f7b9d to 80527bdc
STACK_TEXT: f0711728 804f7b9d 00000003 90909090 00000000 nt!RtlpBreakWithStatusInstruction f0711774 804f878a 00000003 00000000 c0484848 nt!KiBugCheckDebugBreak+0x19 f0711b54 804f8cb5 00000050 90909090 00000000 nt!KeBugCheck2+0x574 f0711b74 8051cc4f 00000050 90909090 00000000 nt!KeBugCheckEx+0x1b f0711bd4 8054051c 00000000 90909090 00000000 nt!MmAccessFault+0x8e7 f0711bd4 80536c53 00000000 90909090 00000000 nt!KiTrap0E+0xcc f0711c68 80528107 e1297088 90909090 0000009a nt!memmove+0x33 f0711c88 f105f0c7 e1297078 0000009a 01762aec nt!RtlAppendUnicodeStringToString+0x45 WARNING: Stack unwind information not available. Following frames may be wrong. f0711cd8 f105f4d3 00000000 0012fea0 f0711d08 avipbb+0x80c7 f0711d40 8053d638 0012fea8 00020019 0012feb0 avipbb+0x84d3 f0711d40 7c90e4f4 0012fea8 00020019 0012feb0 nt!KiFastCallEntry+0xf8 0012fe60 7c90d0dc 00401100 0012fea8 00020019 ntdll!KiFastSystemCallRet 0012fe64 00401100 0012fea8 00020019 0012feb0 ntdll!ZwCreateKey+0xc 0012ff70 0040158f 00000001 00342e28 00342e58 hookfuzz!wmain+0x100 0012ffc0 7c817067 bc27f626 01cb7b6b 7ffdf000 hookfuzz!__tmainCRTStartup+0x15e 0012fff0 00000000 004015e6 00000000 78746341 kernel32!BaseProcessStart+0x23
STACK_COMMAND: kb
FOLLOWUP_IP: avipbb+80c7 f105f0c7 3bc6 cmp eax,esi
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: avipbb+80c7
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: avipbb
IMAGE_NAME: avipbb.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4bfe7d8e
FAILURE_BUCKET_ID: 0x50_avipbb+80c7
BUCKET_ID: 0x50_avipbb+80c7
Followup: MachineOwner ---------
3.Proof of concept is in poc.zip file.
http://www.exploit-db.com/sploits/poc.zip
|