ESET Patches Scan Engine Hole

Monday, June 29, 2015 @ 04:06 PM gHale

The code emulator in ESET products is not robust and could easily end up compromised, allowing an attacker to take complete control of a system, a researcher said.

Code emulation ends up integrated into antivirus products to run executable files and scripts before the user launches them and to monitor activity on the system. The process takes place in an isolated environment that should not impact the real system.

Drupal Patches Vulnerabilities
OS X, iOS Vulnerabilities Discovered
Flaw in iOS Mail App
Phishing Continues Growth Pattern

The data in that environment ends up collected and sent over to the heuristic analyzer, which decides if the nature of the routines is malicious or suspicious, followed by the creation of a detection signature.

Tavis Ormandy from Google Project Zero discovered the vulnerability in NOD32 Antivirus, but other products suffer from the issue as well, including consumer versions for Windows, OS X and Linux, as well as Endpoint and Business editions.

“Many antivirus products include emulation capabilities that are intended to allow unpackers to run for a few cycles before signatures are applied,” Ormandy said in the vulnerability report. “ESET NOD32 uses a minifilter or kext [kernel extension] to intercept all disk I/O, which is analyzed and then emulated if executable code is detected.”

Because disk I/O operations can result in numerous ways, untrusted code can pass through the disk when messages, files, images or other type of data ends up received. That is the reason why a user needs a more sturdy and isolated code emulator in antivirus solutions.

The vulnerability touches on managing a shadow stack task and can end up triggered whenever a scanning operation (real-time, scheduled or manual) occurs.

Ormandy found the glitch, analyzed it and created a remote root exploit in a few days. He said a complete compromise can end up achieved, meaning reading or altering data on the system is possible regardless of access rights, which also includes installing programs, accessing connected or built-in components, or logging system activity.

A compromise does not require user interaction and does not end up flagged in any way because I/O tasks represent normal system operations.

“For Windows networks, it is possible to compromise and take over the ekrn.exe process, granting N T AUTHORITY\SYSTEM to remote attackers. On Mac and Linux, it is possible to compromise and take over the esets_daemon process, granting root access to attackers,” Ormandy said.

Ormandy reported the vulnerability to ESET June 18 and the company pushed an update for the scan engine four days later. Technical details are available for the vulnerability along with an exploit.