Privacy News ESET antivirus cracks opens Apple Macs to remote root execution via man-in-middle diddle

Winter Soldier

Level 25
Thread author
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Bored hacker looking for fun? We couldn't possibly suggest you attack the latest vulnerability in ESET's antivirus software, because it's too basic to offer any challenge at all.

As outlined in this advisory today, all you need to get root-level remote code execution on a Mac is to intercept the ESET antivirus package's connection to its backend servers, put yourself in as a man-in-the-middle, and exploit an XML library hole.

Or, to use the technically correct language of Google Security Team's Jason Geffner and Jan Bee: “Vulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an outdated XML parsing library and do not perform proper server authentication, allowing for remote unauthenticated attackers to perform arbitrary code execution as root on vulnerable clients.” Lovely.

The esets_daemon uses an old version of POCO's XML parser library that is vulnerable to a buffer overflow bug, aka CVE-2016-0718, they explain. Among other things, that library handles license activation with a request to https://edf.eset.com/edf: whatever data is sent back from that server can exploit the XML parser bug to potentially gain arbitrary code execution as root – the user assumed by ESET's antivirus.

The man-in-the-middle diddle is possible because the daemon doesn't check ESET's licensing server certificate, allowing a malicious machine masquerading as the ESET licensing server to give the client a self-signed HTTPS cert. Now the attacker controls the connection, they can send malformed content to to the Mac to hijack the XML parser and execute code as root.

"When ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a request to https://edf.eset.com/edf," the Googlers explain.

"The esets_daemon service does not validate the web server's certificate, so a man-in-the-middle can intercept the request and respond using a self-signed HTTPS certificate. The esets_daemon service parses the response as an XML document, thereby allowing the attacker to supply malformed content and exploit CVE-2016-0718 to achieve arbitrary code execution as root."

ESET has fixed the issue in version 6.4.168.0. Make sure you're patched up to date to avoid any trouble. ®
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top