SAFA researchers uncovered 4 kernel heap overflow vulnerabilities in Avast Antivirus’s aswSnx.sys driver, designated CVE-2025-13032, affecting variations earlier than 25.3 on Home windows.
These flaws originate from double-fetch points in IOCTL dealing with, enable native attackers to set off pool overflows for privilege escalation to SYSTEM.
The vulnerabilities require sandbox manipulation to entry the assault floor, marking a reversal from typical sandbox escape situations.
Analysis Method
SAFA focused Avast as a result of its widespread deployment and wealthy kernel assault floor by way of user-accessible drivers, resembling aswSnx, which exposes quite a few IOCTL handlers below permissive ACLs.
Evaluation targeted on kernel parts processing user-controlled information, prioritizing these with excessive IOCTL counts for effectivity in a time-limited audit.
Reverse engineering revealed shared code throughout Gendigital merchandise, probably broadening influence, although unverified.
Guide auditing, mixed with heuristics resembling tracing ProbeForRead calls, rapidly pinpointed flaws in IOCTL 0x82AC0204, which processes user-supplied UNICODE_STRING constructions with out correctly capturing them in kernel reminiscence.
The driving force fetches the Size area twice as soon as for allocation and once more for copying enabling attackers to change it mid-operation for managed heap overflows.
Related points have an effect on the pString and pData fields, together with lacking pointer validation that results in DoS.
The aswSnx driver enforces a customized sandbox by way of snx_lconfig.xml, limiting weak IOCTLs to profiled processes with flags like fAutosandbox and scanhandle=1.
Normal processes lack entry, necessitating config manipulation by means of IOCTL 0x82AC0054, which registers executables below read-only permissions.
This allowed producing a sandboxed exploit.exe to set off crashes and ensure primitives.
Further flaws emerged in the identical handler: loop-based double-fetches on strings for size calculation and allocation, and snprintf misuse throughout course of termination, copying large strings to fastened buffers.
A pData variant repeats the sample with separate sizing iterations earlier than memcpy. These yield user-controlled overflows and DoS by way of invalid pointers.
Avast addressed the problems in model 25.3 by capturing constructions to kernel reminiscence, reusing preliminary lengths, including dimension checks in opposition to fastened buffers, and validating pointers.
CVSS v3.1 scores it at 9.9 (Vital) as a result of low complexity, low privileges wanted, and full CIA influence by way of scope change.
SAFA demonstrated LPE on the newest Home windows 11, proving its viability regardless of sandboxing.
Organizations ought to replace instantly, restrict native privileges, and audit logs for escalation makes an attempt. This underscores persistent dangers in AV kernel drivers, even with defenses.
Comply with us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most popular Supply in Google.
