Avast and AVG Windows Anti-Rootkit Driver Double Fetch Vulnerability Allowing Arbitrary Code Execution or Denial-of-Service

A double fetch vulnerability has been identified in the socket connection handler of the Avast and AVG Windows Anti-Rootkit driver, prior to version 22.1. This vulnerability allows local attackers to execute arbitrary code in kernel mode or cause a denial-of-service by corrupting memory and crashing the operating system. The issue arises from the driver improperly handling user-controlled data, which could be exploited to manipulate process parameters and execute malicious code with elevated privileges.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution in kernel mode, allowing attackers to execute malicious operations with high privileges, potentially disabling security features or causing system instability. Additionally, such vulnerabilities could be exploited to escape from a sandboxed environment or as part of a broader attack strategy, such as a second-stage browser attack.

Reproduction

The vulnerability can be reproduced by initiating a socket connection from a user-mode application. Once the connection is established, the driver double fetches the length of a user-controlled buffer, which can be manipulated by racing the kernel thread to modify the length variable. This exploitation window allows for arbitrary code execution in kernel mode.

Remediation

Users of Avast and AVG will receive the patch automatically, but those with air-gapped or on-premise installations should apply the update as soon as possible.