Finding a kernel object that could fit this requirement was a bit tricky, but thanks to this article by ‘j00ru’, I managed to get the one I needed. However, when we deal with fixed-size chunks (0x418 bytes in this case) it can be very challenging to find a suitable object of that size in order to spray the heap reliably. If we can control the size of that chunk, then it is easier to achieve this since we don’t have to limit ourselves to a much smaller subset of objects. In order to achieve this, we need to overcome another challenge which is to create a desirable layout of dynamic memory allocations based on the size of the chunk that we can overflow. Corrupting a random kernel object that you don’t control, is indeed a really bad idea.
This is even more important when we exploit bugs in code running in the kernel address space, as usually if the exploit fails then the whole system goes down with it. This allows exploit code to overflow the associated kernel pagedpool allocated chunk and corrupt an adjacent kernel object that the attacker controls (Figure 1).Īs with most cases dealing with dynamic memory allocation based buffers, also known as heap overflows, we firstly need to be able to predict where the allocation will occur so that we can take control of the execution flow as reliably as possible.
The Avast virtualization kernel mode driver (aswSnx.sys) does not validate the length of absolute Unicode file paths in some of the IOCTL requests that receives from userland, which are later copied on fixed length paged pool memory allocations. Upon successful exploitation of this flaw, a local attacker can elevate privileges from any account type (guest included) and execute code as SYSTEM, thus completely compromising the affected host.Įarlier versions of the aforementioned products are also affected. We initially found this issue in versions 10.x (.1305) of those products and later confirmed that the latest 11.x versions were still affected by this issue up to, and including v.
Applications can use the standard control codes or device-specific control codes to perform direct input and output operations on a floppy disk drive, hard disk drive, tape drive, or CD-ROM drive.We discovered this vulnerability in the Avast Virtualization driver (aswSnx.sys) that handles some of the ‘Sandbox’ and ‘DeepScreen’ functionality of all the Avast Windows products. The types of control codes you can specify depend on the device being accessed and the platform on which your application is running.
For a list of standard control codes included in the SDK documentation, see the Remarks section of DeviceIoControl.
In addition, device drivers can define their own device-specific control codes. For example, a control code can ask a device driver to return information about the corresponding device, or direct the driver to carry out an action on the device, such as formatting a disk.Ī number of standard control codes are defined in the SDK header files. Each control code represents an operation for the driver to perform. The DeviceIoControl function is a general-purpose interface that can send control codes to a variety of devices. The DeviceIoControl function provides a device input and output control (IOCTL) interface through which an application can communicate directly with a device driver.