[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAAOnDKeDsDJ6sdExD5TMyn3CkqHB2JmGLDDSqrin20qZb6suWQ@mail.gmail.com>
Date: Mon, 5 Nov 2012 15:29:39 +0000
From: Michele Orru <antisnatchor@...il.com>
To: Tavis Ormandy <taviso@...xchg8b.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: multiple critical vulnerabilities in sophos
products
Reading the paper now.
The previous one about internals was awesome.
"enumerating badness" keyword :D ROFL
Cheers
antisnatchor
On Mon, Nov 5, 2012 at 3:14 PM, Tavis Ormandy <taviso@...xchg8b.com> wrote:
> List, I've completed the second paper in my series analyzing Sophos
> Antivirus internals, titled "Practical Attacks against Sophos
> Antivirus". As the name suggests, this paper describes realistic
> attacks against networks using Sophos products.
>
> The paper includes a working pre-authentication remote root exploit
> that requires zero-interation, and could be wormed within the next few
> days. I would suggest administrators deploying Sophos products study
> my results urgently, and implement the recommendations.
>
> I've also included a section on best practices for Sophos users,
> intended to help administrators of high-value networks minimise the
> potential damage to their assets caused by Sophos.
>
> The paper is available to download at the link below.
>
> https://lock.cmpxchg8b.com/sophailv2.pdf
>
> A working exploit for Sophos 8.0.6 on Mac is available, however the
> techniques used in the exploit easily transfer to Windows and Linux,
> due to multiple critical implementation flaws described in the paper.
> Testcases for the other flaws described in the paper are available on
> request.
>
> https://lock.cmpxchg8b.com/sophail-rev3-exploit.tar.gz
>
> It is my understanding that Sophos plan to publish their own advice to
> their customers today. I have not been given an opportunity to review
> the advice in advance, so cannot comment on it's accuracy.
>
> I have had a working exploit since September, but Sophos requested I
> give them two months to prepare for this publication before discussing
> it. A timeline of our interactions is included in the paper. I believe
> CERT are also preparing an advisory. I'm currently working on the
> third paper in the series, which I'll announce at a later date. Please
> contact me if you would like to be a reviewer. I will add any last
> minute updates to twitter, at http://twitter.com/taviso.
>
> If you would like to learn more about Sophos internals, you can read
> my previous paper in the series here
> https://lock.cmpxchg8b.com/sophail.pdf
>
> I've reproduced a section of the conclusion below.
>
> Tavis.
>
> Conclusion
>
> As demonstrated in this paper, installing Sophos Antivirus exposes
> machines to considerable risk. If Sophos do not urgently improve their
> security posture, their continued deployment causes significant risk
> to global networks and infrastructure.
>
> In response to early access to this report, Sophos did allocate some
> resources to resolve the issues discussed, however they were cearly
> ill-equipped to handle the output of one co-operative, non-adversarial
> security researcher. A sophisticated state-sponsored or highly
> motivated attacker could devastate the entire Sophos user base with
> ease.
>
> Sophos claim their products are deployed throughout healthcare,
> government, finance and even the military. The chaos a motivated
> attacker could cause to these systems is a realistic global threat.
> For this reason, Sophos products should only ever be considered for
> low-value non-critical systems and never deployed on networks or
> environments where a complete compromise by adversaries would be
> inconvenient.
>
> --
> -------------------------------------
> taviso@...xchg8b.com | pgp encrypted mail preferred
> -------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
--
/antisnatchor
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists