The Hackr

Security Flaw in ESET’s Mac Antivirus Leads to Remote Hacking

The critical vulnerability in ESET’s antivirus software allows any unauthenticated attackers Remote Hacking by executing arbitrary code with root privileges on a Mac system

Recently, Google Security Team’s researchers Jason Geffner and Jan Bee discovered the critical security flaw in ESET Endpoint Antivirus 6. The security flaw, tracked as CVE-2016-9892 was caused by the usage of an old library inside ESET’s antivirus source code.

Vulnerable XML Parsing Library

The actual issue was related to a service named esets_daemon, which runs as root.The vulnerable versions of the ESET Mac antivirus used the POCO XML parser library version 1.4.6p1 released in March 2013.

In turn this POCO version , is based on Expat XML parser library version 2.0.1 released in June 2007. The XML vulnerability (CVE-2016-0718) in Expat library allows for remote code execution via malformed XML content.

Now, when esets_daemon sends a request to during activation of the ESET Endpoint Antivirus product, an man-in-the-middle (MITM) attacker can intercept the request to deliver a malformed XML document using a self-signed HTTPS certificate.

Root-level remote code execution on a Mac computer is detailed in the fulldisclosure.

The attack is possible because the ESET antivirus do not validate the web server’s certificate.

This event triggers the CVE-2016-0718 flaw that executes the malicious code with root privileges when esets_daemon parsed the XML content.

Vulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an outdated XML parsing library and do not perform proper server authentication

Flaw inside license verification daemon

License verification mechanism is one of the places where the ESET Mac antivirus interacted with XML streams.

According to Geffner, when an ESET antivirus daemon checks to see if a user has a valid license at startup, an attacker listening to local traffic can pick up the query and respond instead of the ESET servers.

Geffner also released the proof-of-concept (PoC) that exploits code.

Furthermore,  its antivirus does not verify the HTTPS certificate of the ESET server responsible for the license verification process.

So,this is what allows the attacker to issue a fake response on  server’s behalf without the antivirus detection.

ESET has upgraded the POCO parsing library by configuring its product to verify SSL certificates.

It has also fixed this flaw with the release of ESET Endpoint Antivirus


Guys, make sure your antivirus package is patched up to date.



It was a hobby I got into a long time ago, hacking cameras. And I am here making posts @TheHackr today!

Chat With Our Bot ☎️

IntroducingTheHackr Chatbot,now anyone can interact with our messenger bot and get daily crunches about Cyber-Security in just a clicks away!