Reading the paper now. The previous one about internals was awesome. "enumerating badness" keyword :D ROFL
Cheers antisnatchor On Mon, Nov 5, 2012 at 3:14 PM, Tavis Ormandy <tav...@cmpxchg8b.com> wrote: > List, I've completed the second paper in my series analyzing Sophos > Antivirus internals, titled "Practical Attacks against Sophos > Antivirus". As the name suggests, this paper describes realistic > attacks against networks using Sophos products. > > The paper includes a working pre-authentication remote root exploit > that requires zero-interation, and could be wormed within the next few > days. I would suggest administrators deploying Sophos products study > my results urgently, and implement the recommendations. > > I've also included a section on best practices for Sophos users, > intended to help administrators of high-value networks minimise the > potential damage to their assets caused by Sophos. > > The paper is available to download at the link below. > > https://lock.cmpxchg8b.com/sophailv2.pdf > > A working exploit for Sophos 8.0.6 on Mac is available, however the > techniques used in the exploit easily transfer to Windows and Linux, > due to multiple critical implementation flaws described in the paper. > Testcases for the other flaws described in the paper are available on > request. > > https://lock.cmpxchg8b.com/sophail-rev3-exploit.tar.gz > > It is my understanding that Sophos plan to publish their own advice to > their customers today. I have not been given an opportunity to review > the advice in advance, so cannot comment on it's accuracy. > > I have had a working exploit since September, but Sophos requested I > give them two months to prepare for this publication before discussing > it. A timeline of our interactions is included in the paper. I believe > CERT are also preparing an advisory. I'm currently working on the > third paper in the series, which I'll announce at a later date. Please > contact me if you would like to be a reviewer. I will add any last > minute updates to twitter, at http://twitter.com/taviso. > > If you would like to learn more about Sophos internals, you can read > my previous paper in the series here > https://lock.cmpxchg8b.com/sophail.pdf > > I've reproduced a section of the conclusion below. > > Tavis. > > Conclusion > > As demonstrated in this paper, installing Sophos Antivirus exposes > machines to considerable risk. If Sophos do not urgently improve their > security posture, their continued deployment causes significant risk > to global networks and infrastructure. > > In response to early access to this report, Sophos did allocate some > resources to resolve the issues discussed, however they were cearly > ill-equipped to handle the output of one co-operative, non-adversarial > security researcher. A sophisticated state-sponsored or highly > motivated attacker could devastate the entire Sophos user base with > ease. > > Sophos claim their products are deployed throughout healthcare, > government, finance and even the military. The chaos a motivated > attacker could cause to these systems is a realistic global threat. > For this reason, Sophos products should only ever be considered for > low-value non-critical systems and never deployed on networks or > environments where a complete compromise by adversaries would be > inconvenient. > > -- > ------------------------------------- > tav...@cmpxchg8b.com | pgp encrypted mail preferred > ------------------------------------------------------- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- /antisnatchor _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/