While Trojans and viruses run loose across the internet, one security researcher has identified a rather costly vulnerability within ESET NOD32 antivirus that allows anyone with a computer to generate an unlimited amount of activated licenses for their product.
Information security researcher, Mohamed Abdelbaset Elnoby identified the vulnerability within ESET’s authentication method, allowing anyone to generate millions of activated accounts with valid usernames and passwords through abusing a simple flaw.
Elnoby, who uncovered the, what he calls “hilarious” vulnerability, said the authentication flaw discovered within ESET was within the company website, specifically during their Antivirus Product Activation Process, which when abused, allowed him to generate as many fully paid username and passwords as he desired. While Elnoby was abusing the vulnerability, ESET’s antivirus description boasted their software was “award-winning” and “most effective.”
ESET’s exploit had the ability to generate millions of fully activated accounts, due to the serious authentication flaw. While most applications require some form of authentication to validate a license or log-in a website, not all authentications work equally or provide the same security. There are thousands of ways you can abuse authentication bugs to hijack accounts or abuse a service if vulnerable enough.
Elnoby identified various methods to bypass ESET’s authentication schema in their web application, including:
- Direct Page Request (forced browsing)
- Parameter Modification
- Session ID Prediction
- SQL Injection
Elnboy posted his proof-of-concept code which can be read below:
[*] Vulnerability Type : A2 – Broken Authentication and Session Management
[*] URL / Service: http://eu-eset.com/me/activate/reg/
[*] Vulnerable Parameter(s) / Input(s): “serial” (Product Key field)
[*] Payload / Bypass string: ‘ OR ”’
[*] Request full dump:
POST /me/activate/reg/ HTTP/1.1
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=—————————25242107630722
Content-Disposition: form-data; name=”serial”
‘ OR ”’
Content-Disposition: form-data; name=”country”
Content-Disposition: form-data; name=”firstname”
Content-Disposition: form-data; name=”lastname”
Content-Disposition: form-data; name=”company”
Content-Disposition: form-data; name=”email”
Content-Disposition: form-data; name=”phone”
Content-Disposition: form-data; name=”note”
Elnoby also released a proof-of-concept video, showing him successfully abuse the authentication vulnerability and grab a valid one year license of ESET Nod32 antivirus. Elnboy begins by capturing the web requests, which he then begins to alter and send back through the Burp proxy. Shortly after the request is made, an activation email is immediately sent to his inbox stating his ESET account has been activated, even with a completely invalid serial number.
If abused properly, potential hackers could utilize the authentication bypass string Elnoby posted and generate an unlimited amount of one year activated accounts, that run an average of $39.99 per user account. Elnoby contacted ESET regarding the vulnerability and the company has since patched the authentication bug and awarded Elnoby a free one year license for his responsible disclosure.
While Elnoby may find the bug “hilarious” it must have just saved ESET a fortune.