Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
While researching inter-process communication on Mac OS X, I found a small security issue with Sophos Anti-Virus for Mac: any local user can remove arbitrary files on the system via the Update functionality of the product. This specific issue was found on version 9.2.9.
I started by listing all Sophos processes on my MacBook:
All except GUI run as root and are unsandboxed! Looking into the details of SophosAutoUpdate binary I stumbled upon this code snippet:
int _al_ipc_callback() {
...
close$UNIX2003(eax);
unlink("/tmp/.com.sophos.sau.lock");
...
It turns out that any local user can trigger this code path by executing /usr/local/bin/ SophosUpdate binary or via GUI applet AND ownership of .com.sophos.sau.lock is not verified.
So if some user creates a symbolic link to some sensitive file owned by a privileged user, it will be deleted during the update procedure since the process doing deletion (unlinking) runs as root and is not sandboxed. Trustwave security advisory has proof-of-concept code that removes root-owned file via this vulnerability.
Trustwave reported this issue back to vendor and an update (9.2.10) is available for download.
For more information please see the Trustwave security advisory:
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-003/?fid=7650
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.