Recently, Google Security Team’s researchers Jason Geffner and Jan Bee discovered the critical security flaw in ESET Endpoint Antivirus 6. The security flaw, tracked as CVE-2016-9892 was caused by the usage of an old library inside ESET’s antivirus source code.
Vulnerable XML Parsing Library
The actual issue was related to a service named esets_daemon, which runs as root.The vulnerable versions of the ESET Mac antivirus used the POCO XML parser library version 1.4.6p1 released in March 2013.
In turn this POCO version , is based on Expat XML parser library version 2.0.1 released in June 2007. The XML vulnerability (CVE-2016-0718) in Expat library allows for remote code execution via malformed XML content.
Root-level remote code execution on a Mac computer is detailed in the fulldisclosure.
The attack is possible because the ESET antivirus do not validate the web server’s certificate.
This event triggers the CVE-2016-0718 flaw that executes the malicious code with root privileges when esets_daemon parsed the XML content.
Flaw inside license verification daemon
License verification mechanism is one of the places where the ESET Mac antivirus interacted with XML streams.
According to Geffner, when an ESET antivirus daemon checks to see if a user has a valid license at startup, an attacker listening to local traffic can pick up the query and respond instead of the ESET servers.
Geffner also released the proof-of-concept (PoC) that exploits code.
So,this is what allows the attacker to issue a fake response on server’s behalf without the antivirus detection.
ESET has upgraded the POCO parsing library by configuring its product to verify SSL certificates.
It has also fixed this flaw with the release of ESET Endpoint Antivirus 18.104.22.168.