Jump to content

Archived

This topic is now archived and is closed to further replies.

rugk

Thanks for fixing some vulnerabilities in ESET software, but...

Recommended Posts

So thanks for fixing tree vulnerabilities in (nearly) all ESET AVs. Starting with this one all of them were discovered and reported by Google Zero team and fixed quickly with regular VSD updates.
So far this is very good (the fixes, not the vulnerabilities of course), but there is another one, which was published publicly, but does not seem to be fixed.
 
Here is an (a bit) obfuscated link - if you rather want to remove this link feel free to do so: hxxp://www.qwertlab.com/<enter current year here>/06/security-avisory-eset-lpc-component-multiple-issues/
 
Basically is about the communication between egui.exe and ekrn.exe which has a big vulnerability, which allows attackers to send many commands to ekrn.exe (which runs with system privileges) from a program which runs with user privileges:

After successful connection to the LPC Port, it is possible to send untrusted data to the LPC server in ekrn.exe.

The handler has a very huge attack surface.

 
The researcher concludes:

[...] the mentioned leaked image base address can be used to to bypass DEP/ASLR.

(interestingly - or sadly - that's the technology, where ESET just won a kind of test)

The final result is that the attacker is able to engineer the malicious requests [...] which exploits highest privileged ekrn.exe process, hence the attacker running the client elevate her privilege to the highest level in Windows as system. She is not only is able to disable the antivirus service, but also can bypass different level of windows access control and sandboxes.

 
A word about the test lab
The researcher has published sample exploit code and explained in detail how to reproduce it so I assume it is a real vulnerability.
However it is notable to say that this is the first vulnerability which was blogged on their blog and the research lab seems to be quite new. Their "blog anounce" (notice the spelling mistake) consists of 4 sentences and their only contact data is a Twitter account.
So if it - probably - is a not-working description and some parts or the whole thing are fake, please let us know. (I didn't tried to reproduce it.)
 
However I don't think so, but there is missing another thing in the blogpost: Was ESET already notified of this? Usually this should be done before publishing instructions how to exploit it - for obvious reasons, but here the research lab does not even mention anything like this with a single word.

So do you know of this? Are you working on a fix?

Share this post


Link to post
Share on other sites

We are aware of this but this vulnerability is no way as serious as some others that could have been exploited without user's knowledge. It will be addressed in newer installers.

 

Regarding the persons behind, have a look at the About or Contact section. Does it look trustworthy to you?  ;)

Share this post


Link to post
Share on other sites

Regarding the persons behind, have a look at the About or Contact section. Does it look trustworthy to you?  ;)

Yes that's what I thought too. I already mentioned in the first post that their only contact detail is a Twitter account.

 

But about the vulnerability: I've passed your reply to them (in the comments below their article) so let's see what they say.

However as I see it it seems to be quite serious as it allows privilege escalation and sandbox escaping.

 

We are aware of this but this vulnerability is no way as serious as some others that could have been exploited without user's knowledge.

So the user will see it if it's being exploited? :huh:

Or does it need some steps from the users side to make the exploit work?

Share this post


Link to post
Share on other sites

Marcos check your message inbox, it's important ! :) (Vulnerability)

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...