[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAAOnDKdDhxoky7BxsQRECNbOsv00DLVzghtJV-SfW4boY44Fww@mail.gmail.com>
Date: Mon, 5 Nov 2012 16:17:02 +0000
From: Michele Orru <antisnatchor@...il.com>
To: Tavis Ormandy <taviso@...xchg8b.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: multiple critical vulnerabilities in sophos
products
Also, "They told me they will work on this, and
will improve their internal security practices."
is just ridiculous.
I have the same feeling you had while reaching out with them,
when the results from some of my product pentests cannot be disclosed
even after patching.
I wish we could always go Full Disclosure, like old times.
Unfortunately lawsuits are a scary beast.
Finally, honestly, not interested in buying a new kitchen for my house.
Cheers
antisnatchor
On Mon, Nov 5, 2012 at 3:29 PM, Michele Orru <antisnatchor@...il.com> wrote:
> Reading the paper now.
> The previous one about internals was awesome.
>
> "enumerating badness" keyword :D ROFL
>
> Cheers
> antisnatchor
>
> On Mon, Nov 5, 2012 at 3:14 PM, Tavis Ormandy <taviso@...xchg8b.com> wrote:
>> List, I've completed the second paper in my series analyzing Sophos
>> Antivirus internals, titled "Practical Attacks against Sophos
>> Antivirus". As the name suggests, this paper describes realistic
>> attacks against networks using Sophos products.
>>
>> The paper includes a working pre-authentication remote root exploit
>> that requires zero-interation, and could be wormed within the next few
>> days. I would suggest administrators deploying Sophos products study
>> my results urgently, and implement the recommendations.
>>
>> I've also included a section on best practices for Sophos users,
>> intended to help administrators of high-value networks minimise the
>> potential damage to their assets caused by Sophos.
>>
>> The paper is available to download at the link below.
>>
>> https://lock.cmpxchg8b.com/sophailv2.pdf
>>
>> A working exploit for Sophos 8.0.6 on Mac is available, however the
>> techniques used in the exploit easily transfer to Windows and Linux,
>> due to multiple critical implementation flaws described in the paper.
>> Testcases for the other flaws described in the paper are available on
>> request.
>>
>> https://lock.cmpxchg8b.com/sophail-rev3-exploit.tar.gz
>>
>> It is my understanding that Sophos plan to publish their own advice to
>> their customers today. I have not been given an opportunity to review
>> the advice in advance, so cannot comment on it's accuracy.
>>
>> I have had a working exploit since September, but Sophos requested I
>> give them two months to prepare for this publication before discussing
>> it. A timeline of our interactions is included in the paper. I believe
>> CERT are also preparing an advisory. I'm currently working on the
>> third paper in the series, which I'll announce at a later date. Please
>> contact me if you would like to be a reviewer. I will add any last
>> minute updates to twitter, at http://twitter.com/taviso.
>>
>> If you would like to learn more about Sophos internals, you can read
>> my previous paper in the series here
>> https://lock.cmpxchg8b.com/sophail.pdf
>>
>> I've reproduced a section of the conclusion below.
>>
>> Tavis.
>>
>> Conclusion
>>
>> As demonstrated in this paper, installing Sophos Antivirus exposes
>> machines to considerable risk. If Sophos do not urgently improve their
>> security posture, their continued deployment causes significant risk
>> to global networks and infrastructure.
>>
>> In response to early access to this report, Sophos did allocate some
>> resources to resolve the issues discussed, however they were cearly
>> ill-equipped to handle the output of one co-operative, non-adversarial
>> security researcher. A sophisticated state-sponsored or highly
>> motivated attacker could devastate the entire Sophos user base with
>> ease.
>>
>> Sophos claim their products are deployed throughout healthcare,
>> government, finance and even the military. The chaos a motivated
>> attacker could cause to these systems is a realistic global threat.
>> For this reason, Sophos products should only ever be considered for
>> low-value non-critical systems and never deployed on networks or
>> environments where a complete compromise by adversaries would be
>> inconvenient.
>>
>> --
>> -------------------------------------
>> taviso@...xchg8b.com | pgp encrypted mail preferred
>> -------------------------------------------------------
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> --
> /antisnatchor
--
/antisnatchor
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists