TWSL2016-003: Sophos Anti-Virus Mac OS X Version Update File Unlinking Vulnerability

While researching inter-process communication on Mac OS X, I found a small security issue with Sophos Anti-Virus for Mac: any local user can remove arbitrary files on the system via the Update functionality of the product. This specific issue was found on version 9.2.9.

I started by listing all Sophos processes on my MacBook:

Sophos

All except GUI run as root and are unsandboxed! Looking into the details of SophosAutoUpdate binary I stumbled upon this code snippet:

int _al_ipc_callback() {
...
close$UNIX2003(eax);
unlink("/tmp/.com.sophos.sau.lock");
...

It turns out that any local user can trigger this code path by executing /usr/local/bin/ SophosUpdate binary or via GUI applet AND ownership of .com.sophos.sau.lock is not verified.

So if some user creates a symbolic link to some sensitive file owned by a privileged user, it will be deleted during the update procedure since the process doing deletion (unlinking) runs as root and is not sandboxed. Trustwave security advisory has proof-of-concept code that removes root-owned file via this vulnerability.

Trustwave reported this issue back to vendor and an update (9.2.10) is available for download.

For more information please see the Trustwave security advisory:
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-003/?fid=7650

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.