[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Avast SandBox Escape via IOCTL Requests
From: Kyriakos Economou <keconomou () nettitude ! com>
Date: 2016-04-19 15:04:09
Message-ID: 061CC584260B7B46BD912F126E8C92360B6E0EC8 () GB01MAIL00 ! nettitude ! com
[Download RAW message or body]
* CVE: CVE-2016-4025
* Vendor: Avast
* Reported by: Kyriakos Economou
* Date of Release: 19/04/2016
* Affected Products: Multiple
* Affected Version: Multiple
* Fixed Version: N/A
Description:
A design flaw in Avast Sandbox allows a potentially harmful program to esca=
pe the sandbox and infect the host by dropping its files out of it and/or b=
y modifying existing legitimate files of any type.
Affected Products:
Avast Internet Security v11.x.x
Avast Pro Antivirus v11.x.x
Avast Premier v11.x.x
Avast Free Antivirus v11.x.x
Avast Business Security v11.x.x
Avast Endpoint Protection v8.x.x
Avast Endpoint Protection Plus v8.x.x
Avast Endpoint Protection Suite v8.x.x
Avast Endpoint Protection Suite Plus v8.x.x
Avast File Server Security v8.x.x
Avast Email Server Security v8.x.x
Earlier and latest versions of these products are currently affected.
Technical Details:
The Avast virtualization kernel mode driver (aswSnx.sys) handles specific I=
OCTL requests sent through the snxhk.dll module which is automatically load=
ed in the address space of all sandboxed processes. One of the features tha=
t this module attempts to provide, is to recognize user interaction with th=
e GUI of the sandboxed application which facilitates saving a file out of t=
he sandboxed process. For example, a user can still save a txt file out of =
a notepad.exe sandboxed process by navigating through the menu to the 'Save=
as' dialogue box of the application. The design flaw consists in the fact =
that there is no further authentication from the kernel driver itself with =
regards to the IOCTL requests, in order to verify that releasing a file out=
of the sandbox it is indeed an authorised action performed by the user. Th=
is vulnerability can be exploited by a malicious application in order to in=
fect the host by dropping its files and/or infect existing legitimate file=
s of any type without requiring user interaction. A ransomware that exploit=
s this vulnerability will be able to encrypt all the targetted files while =
its process will be running in the sandbox. This vulnerability is critical=
since it totally breaks the purpose of the Sandbox protection and other fe=
atures, such as DeepScreen, that rely on this.
Further reading: https://www.nettitude.co.uk/escaping-avast-sandbox-using-s=
ingle-ioctl-cve-2016-4025/
Disclosure Log:
Vendor Contacted: 01/11/2015
Request for Feedback: 23/11/2015
Request for Feedback: 01/04/2016
Public Disclosure: 19/04/2016
Copyright:
Copyright (c) Nettitude Limited 2016, All rights reserved worldwide.
Disclaimer:
The information herein contained may change without notice. Any use of this=
information is at the user's risk and discretion and is provided with no =
warranties. Nettitude and the author cannot be held liable for any impact r=
esulting from the use of this information.
Kyriakos Economou
Vulnerability Researcher
[logo]<http://www.nettitude.co.uk/>
P +44 (0) 845 520 0085 ext 1189
F +448455 200 222
keconomou@nettitude.com<mailto:keconomou@nettitude.com%0d>
www.nettitude.co.uk<http://www.nettitude.co.uk/>
Nettitude NEWS
#Nettitude awarded MSSP of the Year by LogRhythm
#Nettitude features on NBC<http://www.nettitude.com/nbc-interview/>
[Nettitude Awards]<http://www.nettitude.com/>
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .=
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . =
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Nettitude Limited: 1 Jephson Court * Tancred Close * Leamington Spa * Warwi=
ckshire * CV31 3RZ
Nettitude Inc: 85 Broad Street * 17th Floor * New York * NY10004 * EIN No.3=
6-4694227
Twitter<https://twitter.com/Nettitude_com> * LinkedIn<http://uk.linkedin.co=
m/company/nettitude-group> * Google Plus<https://plus.google.com/+Nettitude=
-penetrationtesting/posts> * FaceBook<https://www.facebook.com/Nettitude> *=
YouTube<http://www.youtube.com/channel/UCRUUESU5OTfRte0P-pm2MZQ> * Threat2=
Alert<http://www.threat2alert.com/>
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .=
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . .=
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LOVE REFERRALS - please pass our contact details on solutions@nettitude.com=
<mailto:solutions@nettitude.com>. Thank you!
______________________________________________________________________
This email and any files transmitted with it are confidential and intended =
solely for the use of the individual or entity to whom they are addressed. =
If you have received this email in error please notify the system manager.
Nettitude employ a secure email policy for sending emails to customers. Sho=
uld your email service support ESMTP, you will likely have received this em=
ail over TLS. We also utilise a backup secure service via Cisco Registered =
Envelope Service. For more information visit https://res.cisco.com/websafe/=
about
This footnote also confirms that this email message has been swept by a con=
tent checking tool for the presence of computer viruses.
Nettitude Limited is a Company registered in England
Registered Address
Nettitude Limited, 1 Jephson Court, Tancred Close, Leamington Spa, Warwicks=
hire, CV31 3RZ
Company Registration Number: 4705154
VAT Number: 184 5171 96
www.nettitude.com
______________________________________________________________________
["image001.png" (image/png)]
["image002.jpg" (image/jpeg)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
--===============5699825735294750528==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic