While researching inter-process communication on Mac OS X, I found a small security issue with Sophos Anti-Virus for Mac: any local user can remove arbitrary files on the system via the Update functionality of the product. This specific issue was found on version 9.2.9.
I started by listing all Sophos processes on my MacBook:
All except GUI run as root and are unsandboxed! Looking into the details of SophosAutoUpdate binary I stumbled upon this code snippet:
int _al_ipc_callback() {
...
close$UNIX2003(eax);
unlink("/tmp/.com.sophos.sau.lock");
...
It turns out that any local user can trigger this code path by executing /usr/local/bin/ SophosUpdate binary or via GUI applet AND ownership of .com.sophos.sau.lock is not verified.
So if some user creates a symbolic link to some sensitive file owned by a privileged user, it will be deleted during the update procedure since the process doing deletion (unlinking) runs as root and is not sandboxed. Trustwave security advisory has proof-of-concept code that removes root-owned file via this vulnerability.
Trustwave reported this issue back to vendor and an update (9.2.10) is available for download.
For more information please see the Trustwave security advisory:
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-003/?fid=7650
