====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN451
____________________________________________________________________

DATE                :  08/11/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Sophos Antivirus.

======================================================================
http://www.kb.cert.org/vuls/id/662243
______________________________________________________________________

Vulnerability Note VU#662243
Sophos Antivirus contains multiple vulnerabilities

Original Release date: 05 nov. 2012 | Last revised: 06 nov. 2012


Sophos Antivirus contains multiple vulnerabilities including memory
corruption issues and design flaws.


Description

Sophos Antivirus contains multiple vulnerabilities including memory
corruption issues and design flaws. Tavis Ormandy's security report
lists the following vulnerabilities. These vulnerabilities are new and
separate from Tavis' 2011 report entitled "Sophail: A Critical Analysis
of Sophos Antivirus." [PDF] Additional details are available in Tavis
Ormandy's full report entitled, "Sophail: Applied attacks against
Sophos Antivirus." [PDF] A response from Sophos has been posted to
their blog: "Sophos products and Tavis Ormandy."

Integer overflow parsing Visual Basic 6 controls
Visual Basic 6 executables include metadata for GUIDs, Names, Paths,
etc. Sophos Antivirus extracts some of this metadata when it finds a
VB6 executable. The validation code for this metadata is inconsistent
so there exists an integer overflow vulnerability that may lead to a
heap overflow exploit.

sophos_detoured_x64.dll ASLR bypass
Sophos Antivirus comes with a buffer overrun protection feature called
"BOPS." This feature is meant to provide an ASLR-like implementation
for Windows XP. The feature is implemented by using AppInit_DLLs to
force most processes to load sophos_detoured_x64.dll. This DLL file
does not support ASLR, which results in the DLL file being loaded at a
static address. This DLL can then be used in return-oriented
programming exploits to bypass ASLR on Windows Vista and Windows 7.

Internet Explorer protected mode is effectively disabled by Sophos
Sophos Antivirus installs a Layered Service Provider (LSP) into
Internet Explorer that loads DLL files from low integrity writable
directories. This feature results in effectively disabling Internet
Explorer's protected mode.

Universal XSS
The template for the LSP block page contains a Universal XSS
vulnerability. A Universal XSS vulnerability effectively disables the
"Same Origin Policy" in a web browser that results in a malicious
website being able to interact with web browser data across web sites.

Memory corruption vulnerability in Microsoft CAB parsers
The SARCcabSTart() function allocates a fixed-size 32768 byte buffer to
store the contents of CFDATA structures. The CFDATA structure is a
16-bit size field that can hold 2^16 - 1 bytes but the fixed buffer
size is only 2^15. Vulnerabilities that result in memory corruption
controlled by an attacker are exploitable.

RAR virtual machine standard filters memory corruption
RAR decompression includes a bytecode interpreting VM. The VM_STANDARD
opcode takes a filter as an operand. Sophos Antivirus does not
correctly handle these filters causing memory corruption.

Privilege escalation through network update service
Sophos Antivirus includes a network update service that runs with NT
AUTHORITY\SYSTEM privileges. The service loads modules from a directory
that is world-writable. A specifically crafted DLL file can be placed
in the world-writable directory and it will be loaded by the update
service with SYSTEM privileges.

Stack buffer overflow decrypting PDF files
Sophos Antivirus attempts to parse encrypted revision 3 PDF files by
reading the encryption key contents onto a fixed length stack buffer of
5 bytes. A specifically crafted PDF file with the Length attribute
greater than 5*8 will cause a buffer overflow.


Impact

An attacker may be able to gain control of the system, escalate
privileges, or cause a denial-of-service condition.


Solution

Apply an Update

Sophos has released patches to address these vulnerabilities. Sophos
customers should acquire the patches through their usual support channels.


Vendor Information (Learn More)
Vendor	Status	Date Notified	Date Updated
Sophos, Inc.	Affected	-	10 Oct 2012
If you are a vendor and your product is affected, let us know.


CVSS Metrics (Learn More)
Group 	Score 	Vector
Base 	9,7 	AV:N/AC:L/Au:N/C:C/I:C/A:P
Temporal 	8,7 	E:POC/RL:U/RC:C
Environmental 	6,5 	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND
References

    https://lock.cmpxchg8b.com/sophailv2.pdf
    http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/

http://lists.grok.org.uk/pipermail/full-disclosure/2012-November/088813.html


Credit

Thanks to Tavis Ormandy for reporting this vulnerability.

This document was written by Jared Allar.
Other Information

    CVE IDs: Unknown
    Date Public: 05 nov. 2012
    Date First Published: 05 nov. 2012
    Date Last Updated: 06 nov. 2012
    Document Revision: 38


Feedback

If you have feedback, comments, or additional information about this
vulnerability, please send us email.



=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================