Exploitation could lead to complete compromise of a system

Jun 24, 2015 22:09 GMT  ·  By

An analysis of the code emulator available in ESET products showed that the component was not sufficiently robust and could be easily compromised, allowing an attacker to take complete control of a system running the vulnerable security solution.

Code emulation has been integrated in antivirus products to run executable files and scripts before the user launches them and to monitor activity on the system. The process takes place in an isolated environment that should not impact the real system.

The data collected is supplied to the heuristic analyzer, which decides if the nature of the routines is malicious or suspicious, followed by the creation of a detection signature.

Glitch triggered during scan routine

Tavis Ormandy from Google Project Zero discovered the vulnerability in NOD32 Antivirus, but other products are affected as well, including consumer versions for Windows, OS X and Linux, as well as Endpoint and Business editions.

“Many antivirus products include emulation capabilities that are intended to allow unpackers to run for a few cycles before signatures are applied. ESET NOD32 uses a minifilter or kext [kernel extension] to intercept all disk I/O, which is analyzed and then emulated if executable code is detected,” Ormandy says in the vulnerability report.

Because disk I/O operations can be caused in numerous ways, untrusted code can pass through the disk when messages, files, images or other type of data is received, hence the need for a robust and properly isolated code emulator in antivirus solutions.

The vulnerability touches on managing a shadow stack task and can be triggered whenever a scanning operation (real-time, scheduled or manual) occurs.

The attack would go unnoticed

Ormandy found the glitch, analyzed it and created a remote root exploit in a few days, saying that a complete compromise can be achieved, meaning that reading or altering data on the system is possible regardless of access rights; this also includes installing programs, accessing connected or built-in components, or logging system activity.

A compromise does not require user interaction and is not flagged in any way because I/O tasks represent normal system operations.

“For Windows networks, it is possible to compromise and take over the ekrn.exe process, granting N T AUTHORITY\SYSTEM to remote attackers. On Mac and Linux, it is possible to compromise and take over the esets_daemon process, granting root access to attackers,” the researcher says.

Ormandy reported the vulnerability to ESET on June 18 and the company pushed an update for the scan engine four days later. Technical details have been provided for the vulnerability along with an exploit.

Video demonstrating the flaw: