Bored hacker looking for fun? We couldn’t possibly suggest you attack the latest vulnerability in ESET’s antivirus software, because it’s too basic to offer any challenge at all.
As outlined in this advisory today, all you need to get root-level remote code execution on a Mac is to intercept the ESET antivirus package’s connection to its backend servers, put yourself in as a man-in-the-middle, and exploit an XML library hole.
Or, to use the technically correct language of Google Security Team’s Jason Geffner and Jan Bee: “Vulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an outdated XML parsing library and do not perform proper server authentication, allowing for remote unauthenticated attackers to perform arbitrary code execution as root on vulnerable clients.” Lovely.
The esets_daemon uses an old version of POCO’s XML parser library that is vulnerable to a buffer overflow bug, aka CVE-2016-0718, they explain. Among other things, that library handles license activation with a request to https://edf.eset.com/edf: whatever data is sent back from that server can exploit the XML parser bug to potentially gain arbitrary code execution as root – the user assumed by ESET’s antivirus.
The man-in-the-middle diddle is possible because the daemon doesn’t check ESET’s licensing server certificate, allowing a malicious machine masquerading as the ESET licensing server to give the client a self-signed HTTPS cert. Now the attacker controls the connection, they can send malformed content to to the Mac to hijack the XML parser and execute code as root.
“When ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a request to https://edf.eset.com/edf,” the Googlers explain.
“The esets_daemon service does not validate the web server’s certificate, so a man-in-the-middle can intercept the request and respond using a self-signed HTTPS certificate. The esets_daemon service parses the response as an XML document, thereby allowing the attacker to supply malformed content and exploit CVE-2016-0718 to achieve arbitrary code execution as root.”