=======
Summary
=======
Name: Arbitrary kernel mode memory writes in AVG Antivirus
Release Date: 10 July 2007
Reference: NGS00500
Discover: Jonathan Lindsay <john-lindsay ngssoftware com>
Vendor: Grisoft
Vendor Reference: N/A
Systems Affected: Windows NT based systems
Risk: High
Status: Fixed

========
TimeLine
========
Discovered: 13 April 2007
Released: 13 April 2007
Approved: 22 May 2007
Reported: 13 April 2007
Fixed: 9 July 2007
Published: 10 July 2007

===========
Description
===========
The AVG Antivirus core kernel mode service driver (avg7core.sys) provides
functionality that under a default install allows an unprivileged user to
write arbitrary data to arbitrary addresses. This service provides the
core detection (and probably disinfection) for the product. This issue has
been verified as affecting AVG Free 7.5.446 and AVG Antivirus 7.5.448. The
version of avg7core.sys in question is 7.5.0.444.

The driver supports two IOCTLs in its generic DeviceIoControl handler. One
of these IOCTLs (0x5348E004) is used to get the core driver to perform
privileged functions on behalf of the user mode component; 52 different
functions are supported, and one of these is designed to copy arbitrary
data from addresses taken unchecked from the user mode application.

As the kernel mode service is started upon system start (as it is
necessary for on-access scanning), and it is accessible as read/write to
Everyone, any user can then use this functionality to overwrite arbitrary
kernel code or data.

=================
Technical Details
=================
The AVG Antivirus core kernel mode service driver (avg7core.sys) provides
functionality that under a default install allows an unprivileged user to
write arbitrary data to arbitrary addresses. This service provides the
core detection (and probably disinfection) for the product. This issue has
been verified as affecting AVG Free 7.5.446 and AVG Antivirus 7.5.448. The
version of avg7core.sys in question is 7.5.0.444.

The driver supports two IOCTLs in its generic DeviceIoControl handler. One
of these IOCTLs (0x5348E004) is used to get the core driver to perform
privileged functions on behalf of the user mode component; 52 different
functions are supported, and one of these is designed to copy arbitrary
data from addresses taken unchecked from the user mode application.

As the kernel mode service is started upon system start (as it is
necessary for on-access scanning), and it is acessible as read/write to
Everyone, any user can then use this functionality to overwrite arbitrary
kernel code or data.

The internal function in question is the fifth in the internal switch
table and therefore referenced with an index of four. Internal to this
function, a parameter specifies the type of copy to be performed. Using
a value of five will cause a segment of one buffer to be copied to an
arbitrary address. The data structures involved are convoluted, and are
unlikely to be discovered by a brute-force attempt to attack the service
(such as using a fuzzer); additionally, although a lot of pointers are
taken unvalidated from a user mode buffer, the entire dispatch processing
function is wrapped in a try/catch block.

===============
Fix Information
===============
For the request in this case, the buffer contents are validated with
respect to their usage before being passed on to the subfunction that
implements 52 privileged functions. The particular case used in the POC
code results in STATUS_NOT_IMPLEMENTED being returned, before the IRP
being completed. This fix has been implemented in AVG 7.5 build 476, core
service version 7.5.0.476.

The updated versions of AVG Antivirus can be downloaded from:

http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=aff
http://www.grisoft.com/doc/31/us/crp/0?prd=avw

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070