NOD32 AV remote root wormable hack turns corporate fleets to meat
ESET spits patch in three days
Google Project Zero bod Tavis Ormandy has disclosed a "trivial" means of remotely hack the ESET NOD32 antivirus platform.
Ormandy's finding prompted the Slovak company to rush a patch a day before his disclosure overnight. The remote-root exploit is potentially wormable and, he said, of practical value to criminals.
"Any network connected computer running ESET can be completely compromised," Ormandy says.
"A complete compromise would allow reading, modifying or deleting any files on the system regardless of access rights; installing any program or rootkit; accessing hardware such as camera, microphones or scanners; logging all system activity such as keystrokes or network traffic; and so on.
"There would be zero indication of compromise, as disk I/O is a normal part of the operation of a system. Because there is zero user-interaction required, this vulnerability is a perfect candidate for a worm."
Ormandy says corporate ESET deployments could be quickly pierced with "business data, personally identifiable information, trade secrets, backups and financial documents" stolen or destroyed.
He demonstrates the hack in a proof-of-concept video in which a would-be user clicks a link granting the attacker root access thanks to the default instance of ESET NOD32 Business Edition.
Malicious links are one of "hundreds" of possible attack vectors attackers can use to own NOD32 users.
ESET says in an unattributed post that the attack affected a specific emulation routine and not the core engine.
It slung a patch within an impressive three days of Google's Project Zero 90-day patch-or-die disclosure policy and added the bug did not exist in its pre-release update.
"ESET continually performs code refactoring in order to improve efficiency and quality of products. As a result, this vulnerability was already not present in ESET’s pre-release engine," it says in a statement.
Ormandy's hack stands out among anti-virus hacking research for its effect; however, many platforms have been found desperately vulnerable. ®