Avast! AntiVirus TAR Processing Remote Heap Corruption Sowhat of Nevis Labs http://www.nevisnetworks.com http://secway.org/advisory/AD20071206.txt BID: 26702 Vendor: ALWIL Software Affected: Avast! Home/Professional < 4.7.1098 This vulnerability has been confirmed on Avast! Professional 4.7.1043 Details: There is a vulnerability in Avast! Antivirus, which allows an attacker to execute arbitrary code if successfully exploited. While parsing the .TAR file, Avast! Antivirus Library does not properly check the value of certain field, thus result into a remote heap corruption. we would be able to trigger a classic "arbitrary 4 bytes overwritten" condition. 77F52109 8901 MOV DWORD PTR DS:[ECX],EAX 77F5210B 8948 04 MOV DWORD PTR DS:[EAX+4],ECX The EAX and ECX are indirectly controlled by the attacker in this case, The EAX and ECX are read from the passed scanned file. To be able to control EAX/ECX, we can put some other files before the exploit.TAR, let the Avast! scan the other files first. By manipulating the exploit file, we can also trigger another exception 64206096 8B01 MOV EAX,DWORD PTR DS:[ECX] 64206098 6A FF PUSH -1 6420609A FF10 CALL DWORD PTR DS:[EAX] The EAX is controllable. The vulnerability can be exploited remotely, by sending Email or convince the victim visit attacker controlled website. Vendor Response: 2007.11.28 Vendor notified 2007.11.29 Vendor responded 2007.12.05 Vendor released the fixed version, 4.7.1098 2007.12.06 Advisory release Reference: 1. http://www.avast.com/eng/avast-4-home_pro-revision-history.html 2. http://secway.org/advisory/AD20071116.txt 3. http://groups.google.com/group/vulnhashdb -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?"