Date: 06 November 2012
References: ESB-2012.1071
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0152
Multiple vulnerabilities have been fixed in Sophos products
6 November 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Sophos Threat Detection Engine
Sophos Anti-Virus for Windows
Sophos Anti-Virus for Unix
Sophos Anti-Virus for Mac OS X
Sophos Anti-Virus for Linux
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Member content until: Thursday, December 6 2012
Comment: A Metasploit payload demo exists as a proof of concept exploit of the
PDF stack buffer overflow vulnerability present in the Sophos onaccess
scanner.
OVERVIEW
Multiple vulnerabilities have been identified in Sophos products. [1]
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"Integer overflow parsing Visual Basic 6 controls
Description: A remote code execution vulnerability in how the Sophos
Anti-Virus engine scans malformed Visual Basic 6 compiled files - Visual
Basic 6 executables include metadata for GUIDs, Names, Paths, etc.
Sophos Anti-Virus extracts some of this metadata when it finds a VB6
executable. The validation code for this metadata incorrectly handled
integer overflows, which could lead to a heap overflow exploit.
Affected product(s): Threat Detection Engine 3.35.1 and earlier" [1]
"sophos_detoured_x64.dll ASLR bypass
Description: An issue with the BOPS technology in Sophos Anti-Virus for
Windows and how it interacts with Address Space Layout Randomisation
(ASLR) on Windows Vista and later. Sophos BOPS protection requires most
processes to load the Sophos_detoured_x64 DLL but, this DLL was not
using ASLR and resulted in it being loaded at a static address,
effectively bypassing the use of ASLR elsewhere in the product and
increasing the opportunity for exploits.
Affected product(s): Anti-Virus 9.x & Anti-Virus 10.x" [1]
"Internet Explorer protected mode is effectively disabled by Sophos
Description: An issue with how Sophos protection interacts with Internet
Explorer's Protected Mode - Sophos installs a Layered Service Provider
(LSP) into Internet Explorer, that loaded DLL files from writable
directories. This effectively disabled Internet Explorer's protected
mode, as legitimate DLLs could be altered or replaced and IE will still
execute them.
Affected product(s): Anti-Virus 10.x " [1]
"Universal XSS
Description: The Sophos web protection and web control Layered Service
Provider (LSP) block page was found to include a flaw that could be
exploited, by specially crafted web sites, to run Java code inserted in
the URL query tags.
Affected product(s): Anti-Virus 10.x " [1]
"Memory corruption vulnerability in Microsoft CAB parsers
Description: A vulnerability in the way the Sophos Anti-Virus engine
handles specially crafted CAB files, which could cause the engine to
corrupt memory -; There is an error in the way the process checks which
compression algorithm is specified for the CFFolder structure. The error
leads to the range check on the input data size being skipped, leading
to a buffer overflow.
Affected product(s): Threat Detection Engine 3.35.1 and earlier" [1]
"RAR virtual machine standard filters memory corruption
Description: A vulnerability in the way the Sophos Anti-Virus engine
handled specially crafted RAR files, which could cause the engine to
corrupt memory - RAR decompression includes a byte-code interpreting VM.
The VM_STANDARD opcode takes a filter as an operand. These filters were
not being handled correctly.
Affected product(s): Threat Detection Engine 3.36.2 and earlier" [1]
"Privilege escalation through network update service
Description: A lack of access control on the Sophos updating directory
that potentially allowed any user to insert their own file and have it
executed - the Sophos network update service runs with NT
AUTHORITY\SYSTEM privileges. This service loads modules from a directory
that was writable with no privileges. A specifically crafted DLL file
could be placed in the world-writable directory and loaded by the update
service with SYSTEM privileges.
Affected product(s): Anti-Virus 9.x & Anti-Virus 10.x" [1]
"Stack buffer overflow decrypting PDF files
Description: A remote code execution vulnerability in the way the Sophos
Anti-Virus engine decrypts revision 3 PDF files that have been specially
crafted with an over-length size attribute - Sophos Anti-Virus engine
parses encrypted revision 3 PDF files by reading the encryption key
contents onto a fixed length stack buffer of 5 bytes. A specifically
crafted PDF file with the Length attribute greater than 5^8 would cause
a buffer overflow.
Affected product(s): Threat Detection Engine 3.36.2 and earlier" [1]
MITIGATION
The vendor recommends updating to the latest versions related products
to correct these vulnerabilities. [1]
REFERENCES
[1] Tavis Ormandy finds vulnerabilities in Sophos Anti-Virus products
http://www.sophos.com/en-us/support/knowledgebase/118424.aspx
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUJioCe4yVqjM2NGpAQK8EQ//bKZMOyfajb2lX1XIWZuATF3hRPFyc7Vf
T8MkBi558/aKdNnNFLP8dYAMI1ey7crJwm5D2lRpH3ePiwspfc8Y7TyZ6To5xVIQ
SIwS94GGiTe5woA4yShUvchF5mrSepy5lTWzlH1J5ZVYCcmsYOWh4F3P+fmluD/c
hJEaD9lKQz2mU9McF7/e1re08Yli2HlXCcBfE7py3xihKqYqVghxRCTEL+oU/yLQ
XssJzuGX2z+AiXIf8jprReZwpmlgaXJWVBoN2RffD7xooV8knTxODjDVIDjh6cMx
7PLqTDx6oqSAu12NE7rYX/rAO5VrBC5cEzRIpVziHFLxTVIg4VK3tL4C0aVXWKtE
es6jto3yXflxpPOeV68BWLRhxVA/ZI9PEBTV2albR1i6lrtIth0wGKcn9dkpS/kC
sXMkEY8OiReV0lRpb71X/Ev3X4nq6H4nIlD8I0BWlXpTa53WQjyT12rnfUZ5pzJJ
Bf668kpHssaTCifnvMw9r8okEFs70k6+CbFzJl/RU9QhUvC2WLKGkdRQoTxUkZc5
IfzT/4tSIhSzsY7f7bqvI3V7Sae5pQ+j6KIVwJoun8Ugia7NGGlczlZpEL2JatcT
RCHptwimWZopYGMM5wAc4MtZshd5xCnsoiTTt0SdYXKrMFRfKbdV6pYnFVBTn/UI
84o7b81RJ6A=
=V2IN
-----END PGP SIGNATURE-----
|