Software Engineering Institute

Sophos Antivirus contains multiple vulnerabilities including memory corruption issues and design flaws. Tavis Ormandy's security report lists the following vulnerabilities. These vulnerabilities are new and separate from Tavis' 2011 report entitled "Sophail: A Critical Analysis of Sophos Antivirus." [PDF] Additional details are available in Tavis Ormandy's full report entitled, "Sophail: Applied attacks against Sophos Antivirus." [PDF] A response from Sophos has been posted to their blog: "Sophos products and Tavis Ormandy."

Integer overflow parsing Visual Basic 6 controls
Visual Basic 6 executables include metadata for GUIDs, Names, Paths, etc. Sophos Antivirus extracts some of this metadata when it finds a VB6 executable. The validation code for this metadata is inconsistent so there exists an integer overflow vulnerability that may lead to a heap overflow exploit.

sophos_detoured_x64.dll ASLR bypass
Sophos Antivirus comes with a buffer overrun protection feature called "BOPS." This feature is meant to provide an ASLR-like implementation for Windows XP. The feature is implemented by using AppInit_DLLs to force most processes to load sophos_detoured_x64.dll. This DLL file does not support ASLR, which results in the DLL file being loaded at a static address. This DLL can then be used in return-oriented programming exploits to bypass ASLR on Windows Vista and Windows 7.

Internet Explorer protected mode is effectively disabled by Sophos
Sophos Antivirus installs a Layered Service Provider (LSP) into Internet Explorer that loads DLL files from low integrity writable directories. This feature results in effectively disabling Internet Explorer's protected mode.

Universal XSS
The template for the LSP block page contains a Universal XSS vulnerability. A Universal XSS vulnerability effectively disables the "Same Origin Policy" in a web browser that results in a malicious website being able to interact with web browser data across web sites.

Memory corruption vulnerability in Microsoft CAB parsers
The SARCcabSTart() function allocates a fixed-size 32768 byte buffer to store the contents of CFDATA structures. The CFDATA structure is a 16-bit size field that can hold 2^16 - 1 bytes but the fixed buffer size is only 2^15. Vulnerabilities that result in memory corruption controlled by an attacker are exploitable.

RAR virtual machine standard filters memory corruption
RAR decompression includes a bytecode interpreting VM. The VM_STANDARD opcode takes a filter as an operand. Sophos Antivirus does not correctly handle these filters causing memory corruption.

Privilege escalation through network update service
Sophos Antivirus includes a network update service that runs with NT AUTHORITY\SYSTEM privileges. The service loads modules from a directory that is world-writable. A specifically crafted DLL file can be placed in the world-writable directory and it will be loaded by the update service with SYSTEM privileges.

Stack buffer overflow decrypting PDF files
Sophos Antivirus attempts to parse encrypted revision 3 PDF files by reading the encryption key contents onto a fixed length stack buffer of 5 bytes. A specifically crafted PDF file with the Length attribute greater than 5*8 will cause a buffer overflow.

An attacker may be able to gain control of the system, escalate privileges, or cause a denial-of-service condition.

Apply an Update

Sophos has released patches to address these vulnerabilities. Sophos customers should acquire the patches through their usual support channels.