INTEGO SECURITY MEMO – OCTOBER 25, 2006
INQTANA.D BLUETOOTH EXPLOIT

Exploit: Inqtana.d Bluetooth exploit

Discovered: October 25, 2006

Risk: Low

Description: This proof-of-concept exploit, which has not yet been
seen in the wild, is installed on a Mac OS X computer via Bluetooth
from a computer or PDA running a Linux system. This can affect Macs
running Mac OS X 10.3 and 10.4 that have not been updated with all
available security updates or system updates. Bluetooth must be
active, but Bluetooth file transfer does not need to be turned on.
The attacking computer must be within Bluetooth range, which, by
default is 10 m or 30 ft, but can be extended with repeaters and/or
antennas.

This exploit is installed from a Linux system, and exploits an rfcomm
security hole in Bluetooth software. Unlike previous versions of
Inqtana malware, no user interaction is required. It installs a user
account (named “bluetooth”), with no password, which grants root
access to malicious users logging into this account. This account is
available immediately, and the Mac OS X 10.4 computers do not need to
be restarted (Macs running OS X 10.3 do need to be restarted). The
exploit installs a number of files on computers it attacks, and the
user account it installs contains a backdoor that allows malicious
users to log into that account by any network means (Ethernet or
AirPort). Once the exploit has been installed, Bluetooth is no longer
needed to take advantage of it. Users with updated Mac OS X systems
will already have installed a security update that protects against
this vulnerability.

Means of protection: Intego VirusBarrier X and VirusBarrier X4
(http://www.intego.com/virusbarrier/), with virus definitions dated
October 25, 2006 or later, protect against this exploit.

Apple’s security update 2005-005
(http://docs.info.apple.com/article.html?artnum=301528) protects
against this vulnerability in Mac OS X 10.3; Apple’s Mac OS X 10.4.7
update (http://docs.info.apple.com/article.html?artnum=303973)
protects against this vulnerability in computers running Mac OS X
10.4. If users have not installed these updates, they should do so,
along with all subsequent security updates.

If, however, users’ computers have been compromised before applying
the updates mentioned above, the damage will be done, and the
backdoor will remain installed. The only way to ensure that this
backdoor is removed is to run Intego VirusBarrier X4.