Stack Buffer Overflow vulnerability in AVAST antivirus

[German]AVAST antivirus have had a vulnerability that allows a Remote Stack Buffer Overflow with Magic Numbers. The issues has been patched already.


This information has been released within an article in blog. Antivirus software needs to decide of what file type it is, to analyze it in the right context. Therefore, the first part of the scanning process usually involves scanning the file for 'Magic Numbers'. A PDF file starts with ASCII string %PDF- for instance.

AVAST's scan engine tries within its module algo to detect multiple instances of a Magic Number within a file. Each instance created a data structure on stack. Now the author of the blog post linked above tried to create a file with many Magic Numbers and let it scan from AVAST. He used a file with the following Magic Numbers:

Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar! Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!Rar!%PDF-%PDF-%PDF-%PDF-%PDF-

This triggered a stack overflow, that gives an attacker control over the stack. This vulnerability has been reported to AVAST at September 23, 2016. AVAST has patched the software on September 29, 2016. Further details may be found within the linked article.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *