SAFA researchers uncovered 4 kernel heap overflow vulnerabilities in Avast Antivirus’s aswSnx.sys driver, designated CVE-2025-13032, affecting variations earlier than 25.3 on Home windows.
These flaws originate from double-fetch points in IOCTL dealing with, permit native attackers to set off pool overflows for privilege escalation to SYSTEM.
The vulnerabilities require sandbox manipulation to entry the assault floor, marking a reversal from typical sandbox escape situations.
Analysis Method
SAFA focused Avast on account of its widespread deployment and wealthy kernel assault floor through user-accessible drivers, reminiscent of aswSnx, which exposes quite a few IOCTL handlers beneath permissive ACLs.
Evaluation targeted on kernel parts processing user-controlled knowledge, prioritizing these with excessive IOCTL counts for effectivity in a time-limited audit.
Reverse engineering revealed shared code throughout Gendigital merchandise, doubtlessly broadening affect, although unverified.
Guide auditing, mixed with heuristics reminiscent of tracing ProbeForRead calls, shortly pinpointed flaws in IOCTL 0x82AC0204, which processes user-supplied UNICODE_STRING buildings with out correctly capturing them in kernel reminiscence.
The driving force fetches the Size discipline twice as soon as for allocation and once more for copying enabling attackers to change it mid-operation for managed heap overflows.
Comparable points have an effect on the pString and pData fields, together with lacking pointer validation that results in DoS.
The aswSnx driver enforces a customized sandbox through snx_lconfig.xml, limiting susceptible IOCTLs to profiled processes with flags like fAutosandbox and scanhandle=1.
Commonplace processes lack entry, necessitating config manipulation via IOCTL 0x82AC0054, which registers executables beneath read-only permissions.
This allowed producing a sandboxed exploit.exe to set off crashes and ensure primitives.
Extra flaws emerged in the identical handler: loop-based double-fetches on strings for size calculation and allocation, and snprintf misuse throughout course of termination, copying large strings to fastened buffers.
A pData variant repeats the sample with separate sizing iterations earlier than memcpy. These yield user-controlled overflows and DoS through invalid pointers.
Avast addressed the problems in model 25.3 by capturing buildings to kernel reminiscence, reusing preliminary lengths, including dimension checks towards fastened buffers, and validating pointers.
CVSS v3.1 scores it at 9.9 (Essential) on account of low complexity, low privileges wanted, and full CIA affect through scope change.
SAFA demonstrated LPE on the most recent Home windows 11, proving its viability regardless of sandboxing.
Organizations ought to replace instantly, restrict native privileges, and audit logs for escalation makes an attempt. This underscores persistent dangers in AV kernel drivers, even with defenses.
Comply with us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most popular Supply in Google.
