ESET Antivirus Exposes Mac Users to Remote Hacking via Man-in-the-Middle Attacks
Security researchers at ESET have been grabbing all the news headlines this month. The team first released a detailed report highlighting the immense growth of ransomware, and then revealed a campaign targeting macOS. While each of these reports ended with a message that recommended readers to use ESET products to detect threats, it appears that not everything was going well with the company’s antivirus software.
When antivirus programs are vulnerable to attacks
Nothing could be more exciting to hackers and criminal attackers than exploiting a vulnerability in antivirus programs that are widely used to keep attackers at bay. Google Security Team’s researchers Jason Geffner and Jan Bee discovered one such vulnerability that could allow attackers to remotely execute arbitrary code with root privileges on a Mac thanks to a flaw in ESET Endpoint Antivirus 6.
The vulnerability is an easy flaw that enables hackers to get root-level remote code execution powers on a Mac by intercepting ESET antivirus program’s connection to its backend servers using a self-signed HTTPS certificate, putting themselves as a man-in-the-middle to exploit an XML library security flaw.
Vulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an outdated XML parsing library and do not perform proper server authentication, allowing for remote unauthenticated attackers to perform arbitrary code execution as root on vulnerable clients.
The problem is linked to a service named esets_daemon, which runs as root. The service is “statically linked with an outdated version of the POCO XML parser library, version 1.4.6p1.” Security researchers added that this version of POCO is based Expat XML parser library version 2.0.1 (from June, 2007), which has a publicly known XML parsing vulnerability (CVE-2016-0718). This known security flaw allows an attacker to execute arbitrary code via malformed XML content.
“When ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a request to https://edf.eset.com/edf. The esets_daemon service does not validate the web server’s certificate, so a man-in-the-middle can intercept the request and respond using a self-signed HTTPS certificate,” today’s advisory explained.
“The esets_daemon service parses the response as an XML document, thereby allowing the attacker to supply malformed content and exploit CVE-2016-0718 to achieve arbitrary code execution as root.” The attacker now has the control over the connection and can send malicious content to the target Mac system to hijack XML parser and execute code as root.
Google informed the ESET team about this flaw in November and the antivirus company fixed the issue on February 21. Google has also released a proof-of-concept exploit code, showing how ESET antivirus app can be used to cause a crash.
The patch is available with ESET Endpoint Antivirus for macOS version 18.104.22.168. Make sure your antivirus program is updated to the latest version to avoid any security troubles.
More details here.