CVE-2008-1737 in Sophos
Summary
by MITRE
Sophos Anti-Virus 7.0.5, and other 7.x versions, when Runtime Behavioural Analysis is enabled, allows local users to cause a denial of service (reboot with the product disabled) and possibly gain privileges via a zero value in a certain length field in the ObjectAttributes argument to the NtCreateKey hooked System Service Descriptor Table (SSDT) function.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/23/2018
The vulnerability identified as CVE-2008-1737 represents a critical security flaw within Sophos Anti-Virus version 7.0.5 and other 7.x releases that becomes exploitable when Runtime Behavioural Analysis is enabled. This issue stems from improper validation of input parameters within the kernel-level system service hooking mechanism that Sophos employs for monitoring and controlling system activities. The vulnerability specifically targets the System Service Descriptor Table (SSDT) function NtCreateKey, which is part of the Windows kernel's internal service interface used for creating registry keys. When the ObjectAttributes argument contains a zero value in a specific length field, the system's behavior becomes unpredictable and potentially exploitable by local attackers.
The technical exploitation of this vulnerability occurs through manipulation of the SSDT hooking mechanism that Sophos implements for runtime monitoring. The NtCreateKey system call serves as a critical interface for registry operations, and when the ObjectAttributes structure contains malformed data with a zero length field, it creates a condition where the kernel's validation routines fail to properly process the request. This failure can manifest in two primary ways: first, the system may become unstable enough to trigger an automatic reboot with the Sophos product disabled, effectively creating a denial of service condition; second, more critically, the improper handling of this input field may allow privilege escalation through kernel-level memory corruption or manipulation of system security controls. The vulnerability operates at the kernel level, making it particularly dangerous as it can bypass user-mode protections and directly affect system integrity.
The operational impact of CVE-2008-1737 extends beyond simple service disruption to potentially enable unauthorized privilege escalation within the target system. Local users who can execute code with sufficient privileges to interact with the hooked system calls can leverage this vulnerability to either force system reboots that temporarily disable Sophos protection, or more severely, to gain elevated privileges that allow them to execute arbitrary code with system-level access. This dual nature of the vulnerability makes it particularly attractive to attackers seeking to compromise systems protected by Sophos Anti-Virus, as it provides both a denial of service vector and a potential path to privilege escalation. The vulnerability demonstrates a classic weakness in kernel-mode input validation, where insufficient bounds checking and parameter validation can create exploitable conditions that directly affect system stability and security.
Mitigation strategies for this vulnerability should focus on immediate patching of affected Sophos Anti-Virus versions, as the vendor would have released a security update addressing the improper parameter validation in the SSDT hooking mechanism. Organizations should also implement monitoring for unusual reboot patterns or system instability that might indicate exploitation attempts. From a security architecture perspective, this vulnerability aligns with CWE-129, which addresses improper validation of array indices and other input parameters, and could be mapped to ATT&CK technique T1068, which involves local privilege escalation through kernel exploits. System administrators should disable Runtime Behavioural Analysis if not required, as this feature specifically enables the vulnerable code paths. Additionally, implementing proper kernel-mode input validation and boundary checking, along with regular security updates and system hardening practices, would prevent similar vulnerabilities from being exploited in other security products that employ similar hooking mechanisms for real-time monitoring and protection.