-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0152
        Multiple vulnerabilities have been fixed in Sophos products
                              6 November 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Sophos Threat Detection Engine
                      Sophos Anti-Virus for Windows
                      Sophos Anti-Virus for Unix
                      Sophos Anti-Virus for Mac OS X
                      Sophos Anti-Virus for Linux
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                      Increased Privileges            -- Existing Account            
                      Denial of Service               -- Remote/Unauthenticated      
                      Cross-site Scripting            -- Remote with User Interaction
                      Reduced Security                -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
Member content until: Thursday, December  6 2012

Comment: A Metasploit payload demo exists as a proof of concept exploit of the 
         PDF stack buffer overflow vulnerability present in the Sophos onaccess 
         scanner.

OVERVIEW

        Multiple vulnerabilities have been identified in Sophos products. [1]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        "Integer overflow parsing Visual Basic 6 controls
        
        Description: A remote code execution vulnerability in how the Sophos
        Anti-Virus engine scans malformed Visual Basic 6 compiled files - Visual
        Basic 6 executables include metadata for GUIDs, Names, Paths, etc.
        Sophos Anti-Virus extracts some of this metadata when it finds a VB6
        executable. The validation code for this metadata incorrectly handled
        integer overflows, which could lead to a heap overflow exploit.
        
        Affected product(s): Threat Detection Engine 3.35.1 and earlier" [1]
        
        
        "sophos_detoured_x64.dll ASLR bypass
        
        Description: An issue with the BOPS technology in Sophos Anti-Virus for
        Windows and how it interacts with Address Space Layout Randomisation
        (ASLR) on Windows Vista and later. Sophos BOPS protection requires most
        processes to load the Sophos_detoured_x64 DLL but, this DLL was not
        using ASLR and resulted in it being loaded at a static address,
        effectively bypassing the use of ASLR elsewhere in the product and
        increasing the opportunity for exploits.
        
        Affected product(s): Anti-Virus 9.x & Anti-Virus 10.x" [1]
        
        
        "Internet Explorer protected mode is effectively disabled by Sophos
        
        Description: An issue with how Sophos protection interacts with Internet
        Explorer's Protected Mode - Sophos installs a Layered Service Provider
        (LSP) into Internet Explorer, that loaded DLL files from writable
        directories. This effectively disabled Internet Explorer's protected
        mode, as legitimate DLLs could be altered or replaced and IE will still
        execute them.
        
        Affected product(s): Anti-Virus 10.x " [1]
        
        
        "Universal XSS
        
        Description: The Sophos web protection and web control Layered Service
        Provider (LSP) block page was found to include a flaw that could be
        exploited, by specially crafted web sites, to run Java code inserted in
        the URL query tags.
        
        Affected product(s): Anti-Virus 10.x " [1]
        
        
        "Memory corruption vulnerability in Microsoft CAB parsers
        
        Description: A vulnerability in the way the Sophos Anti-Virus engine
        handles specially crafted CAB files, which could cause the engine to
        corrupt memory -; There is an error in the way the process checks which
        compression algorithm is specified for the CFFolder structure. The error
        leads to the range check on the input data size being skipped, leading
        to a buffer overflow.
        
        Affected product(s): Threat Detection Engine 3.35.1 and earlier" [1]
        
        
        "RAR virtual machine standard filters memory corruption
        
        Description: A vulnerability in the way the Sophos Anti-Virus engine
        handled specially crafted RAR files, which could cause the engine to
        corrupt memory - RAR decompression includes a byte-code interpreting VM.
        The VM_STANDARD opcode takes a filter as an operand. These filters were
        not being handled correctly.
        
        Affected product(s): Threat Detection Engine 3.36.2 and earlier" [1]
        
        
        "Privilege escalation through network update service
        
        Description: A lack of access control on the Sophos updating directory
        that potentially allowed any user to insert their own file and have it
        executed - the Sophos network update service runs with NT
        AUTHORITY\SYSTEM privileges. This service loads modules from a directory
        that was writable with no privileges. A specifically crafted DLL file
        could be placed in the world-writable directory and loaded by the update
        service with SYSTEM privileges.
        
        Affected product(s): Anti-Virus 9.x & Anti-Virus 10.x" [1]
        
        
        "Stack buffer overflow decrypting PDF files
        
        Description: A remote code execution vulnerability in the way the Sophos
        Anti-Virus engine decrypts revision 3 PDF files that have been specially
        crafted with an over-length size attribute - Sophos Anti-Virus engine
        parses encrypted revision 3 PDF files by reading the encryption key
        contents onto a fixed length stack buffer of 5 bytes. A specifically
        crafted PDF file with the Length attribute greater than 5^8 would cause
        a buffer overflow.
        
        Affected product(s): Threat Detection Engine 3.36.2 and earlier" [1]


MITIGATION

        The vendor recommends updating to the latest versions related products 
        to correct these vulnerabilities. [1]


REFERENCES

        [1] Tavis Ormandy finds vulnerabilities in Sophos Anti-Virus products
            http://www.sophos.com/en-us/support/knowledgebase/118424.aspx

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUJioCe4yVqjM2NGpAQK8EQ//bKZMOyfajb2lX1XIWZuATF3hRPFyc7Vf
T8MkBi558/aKdNnNFLP8dYAMI1ey7crJwm5D2lRpH3ePiwspfc8Y7TyZ6To5xVIQ
SIwS94GGiTe5woA4yShUvchF5mrSepy5lTWzlH1J5ZVYCcmsYOWh4F3P+fmluD/c
hJEaD9lKQz2mU9McF7/e1re08Yli2HlXCcBfE7py3xihKqYqVghxRCTEL+oU/yLQ
XssJzuGX2z+AiXIf8jprReZwpmlgaXJWVBoN2RffD7xooV8knTxODjDVIDjh6cMx
7PLqTDx6oqSAu12NE7rYX/rAO5VrBC5cEzRIpVziHFLxTVIg4VK3tL4C0aVXWKtE
es6jto3yXflxpPOeV68BWLRhxVA/ZI9PEBTV2albR1i6lrtIth0wGKcn9dkpS/kC
sXMkEY8OiReV0lRpb71X/Ev3X4nq6H4nIlD8I0BWlXpTa53WQjyT12rnfUZ5pzJJ
Bf668kpHssaTCifnvMw9r8okEFs70k6+CbFzJl/RU9QhUvC2WLKGkdRQoTxUkZc5
IfzT/4tSIhSzsY7f7bqvI3V7Sae5pQ+j6KIVwJoun8Ugia7NGGlczlZpEL2JatcT
RCHptwimWZopYGMM5wAc4MtZshd5xCnsoiTTt0SdYXKrMFRfKbdV6pYnFVBTn/UI
84o7b81RJ6A=
=V2IN
-----END PGP SIGNATURE-----