Entries by Kyriakos Economou

Exploiting a Kernel Paged Pool Buffer Overflow in Avast Virtualization Driver

CVE-2015-8620 We discovered this vulnerability in the Avast Virtualization driver (aswSnx.sys) that handles some of the ‘Sandbox’ and ‘DeepScreen’ functionality of all the Avast Windows products. We initially found this issue in versions 10.x (10.4.2233.1305) of those products and later confirmed that the latest 11.x versions were still affected by this issue up to, and […]

McAfee File Lock Driver – Kernel Memory Leak

CVE: CVE-2015-8772  Vendor: McAfee – Intel Security  Reported by: Kyriakos Economou  Date of Release: 26/01/2016  Date of Fix: N/A  Affected Products: Multiple  Affected Version: McPvDrv.sys v4.6.111.0  Fixed Version: N/A Description: McAfee File Lock Driver does not handle correctly IOCTL_DISK_VERIFY IOCTL requests, which leads to kernel memory leak through specifically crafted IOCTLs. Normally the IOCTL_DISK_VERIFY IOCTL […]

McAfee File Lock Driver – Kernel Stack Based BOF

CVE: CVE-2015-8773  Vendor: McAfee – Intel Security  Reported by: Kyriakos Economou  Date of Release: 26/01/2016  Date of Fix: N/A  Affected Products: Multiple  Affected Version: McPvDrv.sys v4.6.111.0  Fixed Version: N/A Description: McAfee File Lock Driver does not handle correctly GUIDs of the encrypted vaults, which allows to crash the host by crafting a specific IOCTL with […]

Malware Manual Unpacking – [Custom + UPX]

SHA-1: 1E6CF952D9F0D507A6AA98AD2B3327B83702BC17 Introduction Implementing all sort of methods to bypass anti-virus (AV) scanners and/or to make the analysis of a malware sample a lot harder, at least from a static point of view, is an old dog’s trick. At Nettitude, we see a lot of these techniques in evidence in malware that we come across […]