Mac OS X “Proof Of Concept” Hack and Leap-A Code (Download + Links)

3 10 2006

Critical flaw found in Mac OS X

From Searchsecurity:

Security experts say attackers could exploit a critical security hole in Apple Computer Inc.’s Mac OS X to execute arbitrary shell commands and compromise vulnerable machines. But there are defensive measures IT professionals can take until a patch becomes available.

Word of the flaw came just days after the operating system became the target of malicious code for the first time.

The French Security Incident Response Team (FrSIRT) said in an advisory that the flaw is due to a glitch in how the operating system processes specially crafted resource forks and HFS metadata stored in the “__MACOSX” folder in .zip archives. The security hole affects OS X 10.4.5 and earlier versions.

Attackers could exploit the flaw to execute arbitrary shell commands and compromise a vulnerable system by convincing a user to open a malicious e-mail attachment or visit a specially crafted Web page designed to automatically exploit the vulnerability through the Safari browser.

The new vulnerability isn’t hard to exploit, said Johannes Ullrich, chief research officer for the Bethesda, Md.-based SANS Internet Storm Center (ISC). “The published [proof-of-concept code] will tell you anything you need to know,” he said in an e-mail exchange Tuesday morning. “The vulnerability will work for shell scripts, which are very easy to write and can be used as ‘wrappers’ for other malware.

MMmmmm Mac Hackery. This sounds juicy.

Here’s the Leap-A download that I could find:

OSX.Leap.A Dissassembly.rar

Here’s what VXchaos has on the MAC virii scene:

AIDS.cpt.bin 25.63 KB 6/2/2006 11:49:06 AM 3
file ANTI_A.cpt.bin 1.50 KB 6/2/2006 11:49:06 AM 3
file ANTI_A_Variant.cpt.bin 1.50 KB 6/2/2006 11:49:08 AM 4
file ANTI_B.cpt.bin 1.38 KB 6/2/2006 11:49:08 AM 5
file CDEF.cpt.bin 512 B 6/2/2006 11:49:10 AM 4
file f__k.cpt.bin 24.38 KB 6/2/2006 11:49:10 AM 3
file Hpat.cpt.bin 33.13 KB 6/2/2006 11:49:12 AM 3
file InfectionCollection.sit 411.25 KB 6/2/2006 11:49:16 AM 3
file INIT_29.cpt.bin 15.13 KB 6/2/2006 11:49:16 AM 3
file Jude.cpt.bin 17.13 KB 6/2/2006 11:49:18 AM 3
file MacVirArch10.bin 407.63 KB 6/2/2006 11:49:22 AM 4
file MacVirusWriting1.sit.bin 21.50 KB 6/2/2006 11:49:22 AM 3
file MBDF_B.sit.bin 14.25 KB 6/2/2006 11:49:22 AM 4
file MDEF_D.cpt.bin 12.38 KB 6/2/2006 11:49:24 AM 4
file mdev_b.sit.bin 5.38 KB 6/2/2006 11:49:26 AM 4
file merryxmas-HCvirus.cpt.bin 2.88 KB 6/2/2006 11:49:26 AM 3
file MEV.cpt.hqx 5.99 KB 6/2/2006 11:49:26 AM 2
file nFLU.cpt.bin 13.38 KB 6/2/2006 11:49:28 AM 4
file nVIRB_source.sit.bin 2.25 KB 6/2/2006 11:49:28 AM 3
file nVIR_A.cpt.bin 57.25 KB 6/2/2006 11:49:30 AM 4
file nVIR_B.cpt.bin 36.00 KB 6/2/2006 11:49:32 AM 3
file Scores.cpt.bin 62.00 KB 6/2/2006 11:49:32 AM 4
file tetricycle.cpt.bin 78.25 KB 6/2/2006 11:49:34 AM 3
file VirusCode.sit 34.90 KB 6/2/2006 11:49:34 AM 2
file VirusReference2.14.sit.bin 42.25 KB 6/2/2006 11:49:36 AM 4
file WDEF_A.cpt.bin 1.75 KB 6/2/2006 11:49:36 AM 4
file WDEF_B.cpt.bin 1.75 KB 6/2/2006 11:49:38 AM 3
file wdev_a.sit.bin 3.25 KB 6/2/2006 11:49:38 AM 4
file ZUC_A.cpt.bin 9.63 KB 6/2/2006 11:49:40 AM 4
file ZUC_B.cpt.bin 17.38 KB 6/2/2006 11:49:40 AM 3

Here’s the original “Proof Of Concept” app that was already fixed by Mac:

http://rapidshare.de/files/35403029/BootRooter.tar.bz2.html

I am looking for the latest exploit code that hasn’t been patched. Stand by for updates.

BTW – The virus/worm is called OSX/Leap-A (aka Oompa-Loompa) and there are some GPL apps that will prevent the worms from installing themselves:

http://www.springboardsoftware.com/download/OompaLocker.zip
http://www.springboardsoftware.com/download/OompaLocker-source.zip

NOTE: The latest patches are all up on apple.com, but they atill haven’t patched everything so stay away from IM apps.
Happy McHacking!!


Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: