ESET antivirus cracks opens Apple Macs to remote root execution via man-in-middle diddle

Bored hacker looking for fun? We couldn't possibly suggest you attack the latest vulnerability in ESET's antivirus software, because it's too basic to offer any challenge at all.

As outlined in this advisory today, all you need to get root-level remote code execution on a Mac is to intercept the ESET antivirus package's connection to its backend servers, put yourself in as a man-in-the-middle, and exploit an XML library hole.

Or, to use the technically correct language of Google Security Team's Jason Geffner and Jan Bee: “Vulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an outdated XML parsing library and do not perform proper server authentication, allowing for remote unauthenticated attackers to perform arbitrary code execution as root on vulnerable clients.” Lovely.

The esets_daemon uses an old version of POCO's XML parser library that is vulnerable to a buffer overflow bug, aka CVE-2016-0718, they explain. Among other things, that library handles license activation with a request to https://edf.eset.com/edf: whatever data is sent back from that server can exploit the XML parser bug to potentially gain arbitrary code execution as root – the user assumed by ESET's antivirus.

The man-in-the-middle diddle is possible because the daemon doesn't check ESET's licensing server certificate, allowing a malicious machine masquerading as the ESET licensing server to give the client a self-signed HTTPS cert. Now the attacker controls the connection, they can send malformed content to to the Mac to hijack the XML parser and execute code as root.

"When ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a request to https://edf.eset.com/edf," the Googlers explain.

"The esets_daemon service does not validate the web server's certificate, so a man-in-the-middle can intercept the request and respond using a self-signed HTTPS certificate. The esets_daemon service parses the response as an XML document, thereby allowing the attacker to supply malformed content and exploit CVE-2016-0718 to achieve arbitrary code execution as root."

ESET has fixed the issue in version 6.4.168.0. Make sure you're patched up to date to avoid any trouble. ®

Update:

ESET got in touch with the following statement:

“Recently, The Google Security Team discovered vulnerabilities in ESET’s consumer and business products for macOS that under some circumstances could allow a user’s machine to be compromised. All of the details are available in our support site here. “Working together with The Google Security Team, we issued updates on February 13th and 14th that corrected the issues before the vulnerability became public. All users with the latest version of ESET products are not vulnerable to these issues. “To our knowledge, no users have reported any incidents around the discoveries. In standard configurations, ESET solutions update regularly, and you should already be on the latest version. That said, we take any potential issue very seriously, and want to make sure everyone takes any and all necessary steps for maximum protection. “We’d like to thank Jan Bee and Jason Geffner of The Google Security Team for alerting us and working with us to ensure that our customers would have a repair available prior to public disclosure.” ®