Vulnerability in antivirus ESET for Mac allows you to run arbitrary code as root
03.03.2017 apleapplekot 0 Comments
The researchers of the Google security team Jason Heffner and Jean b has discovered a vulnerability in anti-virus application ESET Endpoint Antivirus 6, which allows to remotely execute code on a Mac with privileges of the kernel. To carry out an attack is very easy – just intercept the connection from the product to the ESET servers and to remember proekspluatirovat vulnerabilities in the XML library.
As reported by Securitylab, a vulnerability in one of the oldest libraries in the composition of ESET for Mac can be a serious threat to Apple users.
“Vulnerable version of ESET Endpoint Antivirus 6 statically linked with an obsolete library to parse XML and not carried out properly, the authentication servers, thereby allowing a remote unauthenticated attacker to execute code with the privileges of the kernel,” — said the researchers.
According to experts, esets_daemon using an older version of POCO XML library, which contains a buffer overflow vulnerability (CVE-2016-0718). In addition, the library is requesting a license at https://edf.eset. com/edf. The attacker can perform the attack as “middle man” and send in the response data for use with subsequent code execution with privileges of the kernel.
The daemon does not check the server certificate ESET, that enables the attacker to impersonate the server ESET and to provide the client with self-signed SSL certificate. To his report, Heffner put an exploit that triggers the crash anti-virus for Mac.
By attack, the attacker can send malicious content Mac, hack the vulnerable library, and then execute the code. Anyone who for some reason is anti-virus for macOS, it is highly recommended as soon as possible to upgrade to a fixed version of ESET Endpoint Antivirus 126.96.36.199.