Avast and AVG Windows Anti-Rootkit Driver Double Fetch Vulnerability Allowing Arbitrary Code Execution or Denial-of-Service

A double fetch vulnerability has been identified in the Avast and AVG Windows Anti-Rootkit driver, specifically in the socket connection handler of the kernel driver aswArPot.sys, prior to version 22.1. This vulnerability allows local attackers to execute arbitrary code in kernel mode or cause a denial-of-service by corrupting memory and crashing the operating system. The issue arises because the vulnerable function fetches a user-controlled length value twice, creating a race condition that attackers can exploit to manipulate the length variable and execute arbitrary code.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of code in kernel mode, with potential consequences such as disabling security features, overwriting system components, causing memory corruption and operating system crashes, or bypassing security products altogether.

Reproduction

The vulnerability can be reproduced by initiating a socket connection from a user-mode application. Once the connection is established, the application can send data that exploits the double fetch vulnerability by manipulating the length of the command line parameters processed by the aswArPot.sys driver. This can be done by flipping the Length field in the process command line structure, creating a race condition that the driver fails to handle properly.

Remediation

Users of Avast and AVG will receive the patch to version 22.1 automatically, but those with air-gapped or on-premise installations should apply the patch as soon as possible.