Critical Flaw found in Mac Antivirus software ESET Antivirus

Google Security Team’s researchers Jan Bee and Jason Geffner have discovered an easy-to-exploit, but a critical vulnerability in ESET’s anti-virus software (ESET endpoint Antivirus 6) which allows hackers to remotely execute an arbitrary code with root privileges on a Mac system. The researchers found this vulnerability at the beginning of November 2016 and are tracked as CVE-2016-9892.

Google has also released a Proof of Concept exploit code, which shows how the ESET anti-virus application can be used to cause the crash the target system.

Hacker’s always looked for vulnerabilities in software which is widely used as it helps them to attack more number of targets.

Hacker can do a root-level remote code execution on a Mac computer is by intercepting the ESET antivirus package’s connection to its backend servers using a self-signed HTTPS certificate, then put himself in as an MITM(man-in-the-middle) attacker, and then exploit an XML library flaw.

The attack was possible only because the ESET anti-virus did not validate the web server’s certificate.

The vulnerability was found in a service named esets_daemon, which runs as root. The service was linked with an outdated version of the POCO XML parser library, released in March 2013.

This POCO version is based on a version of the Expat XML parser library version 2.0.1 from 2007, which is affected by a publicly known XML parsing vulnerability that could allow an attacker to execute any code via malicious XML content.

When the eset_daemon sent a request to during the activation of the ESET Endpoint Antivirus product, an MITM attacker can intercept the request to deliver a malformed XML document using a self-signed HTTPS certificate as mentioned above.

This will trigger the  Expat XML parser library version 2.0.1 flaw named CVE-2016-0718 that executes the arbitrary code with root privileges when esets_daemon parsed the XML content.

Now a malicious content can be sent to the Mac system to hijack the XML parser and execute code with the root privileges.

Am I Safe?

Fortunately, ESET addressed this vulnerability on February 21 by upgrading the POCO parsing library and validating the SSL certificates.

The patch is available the new version of ESET Endpoint Antivirus for MacOS i.e, version So, users are advised to update your software to be safe.