Hilarious ESET Broken Authentication Vulnerability

Discussion in 'other anti-virus software' started by donaddams, May 24, 2015.

  1. donaddams

    donaddams Registered Member

    Joined:
    Jul 5, 2008
    Posts:
    80
    Location:
    mojave Desert
    http://egyptiangeeks.com/information-security/eset-broken-authentication-vulnerability/
     
    Last edited by a moderator: May 25, 2015
  2. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Terrible news for a "security software" company.
     
  3. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    While I can't argue that this isn't an issue, if there's one thing I've learned in my time testing various software it's that not all vendors place the same importance on protecting their programs as they do on improving things that actually affect the real customers.

    For example, I have knowledge of a (licensing) bypass that works on all 4.x versions of AppGuard and have previously warned BlueRidge of such a potential issue (without specifics) and suggested moving the checks over to the driver or service during my beta testing phase. In addition to creating potential lost revenue this *** vulnerability creates a path which would allow a pirated version 'made available to the public' to modify *anything* inside the service or GUI were the cracker clever enough (It'd be their own fault if this was used~the pirates that is!). I never received a real response on it so I assumed it wasn't a big deal for them, I did however receive responses for just about every other issue I contacted them about and have noted a few fixes as a result.

    In addition, another vendor - Agnitum, has a php script issue with the free version key page (along with every OSS giveaway page they've hosted so far) that allows users to create a lifetime key. Once again I attempted to contact them (anonymously) and report the issue but never got anything but the default (computerized) responses so I didn't bother chasing it further as they apparently weren't interested.

    These are only a few of the programs/examples I could complain about but the reality is that while I've found some registration/licensing loops in these and others, it doesn't mean I've found holes in the protections (that weren't fixed). Obviously I still use all these programs (as shown in my sig) and as such the type of story reported here means nothing to me as it isn't related to the actual protections the software itself offers and I find it amusing anyone who found such a gap would prefer to publicize it this way rather than at least attempt reporting it first.

    If nothing else this(these) incident(s) has(ve) strengthened my trust in such programs as they are obviously more concerned about helping the consumers with real issues - instead of just wanting to ensure the software isn't pirated! And just in case anyone expects that I'm talking out my ~ Snipped as per TOS ~...these are partial examples of what I found...hopefully obscure enough to keep most people clueless but it might be enough to show the ones who matter (should they view this page and make sense of it) that these 'issues' were real and my emails were meant to help.

    64 32 0A 0A 0A 00 00 ?? ?? ?? B8 01 ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 64 89 ?? ?? ?? ?? ?? 59 ?? ?? ?? 5B 00 0A 00 00 ?? 47 08 ?? ?? ?? ?? ?? ?? ?? 35 03 ?? ?? 49 ?? 00 0A 00 00 #L_TYP#Lifetime
     
  4. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    https://forum.eset.com/topic/4952-a-hilarious-eset-broken-authentication-vulnerability/?p=28324
     
  5. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Jumping the gun too soon, Wilders' favourite sport.
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,727
    Location:
    localhost
    and follow up to ESET post...

     
    Last edited by a moderator: May 25, 2015
  7. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    I'd actually be more surprised if Eset (or any other security software maker, for that matter) accepts its fault in these cases.
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Since this can hurt their business and not their customer's security I don't see any problem. At least not for end users.
     
    Last edited: May 25, 2015
  9. Brocke

    Brocke Registered Member

    Joined:
    Mar 16, 2008
    Posts:
    2,191
    Location:
    USA,IA
    I don't see a problem and I'm a paying customer
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Is it hilarious? Yes.
    Is it actually relevant? No. It has nothing to do with their software or the team that authors it.
     
  11. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    something odd with those licenses - the first one is not ESET NOD32 - it's Smart Security. The emails doesn't contain the license key - and the email also spells NOD32 as 'Nod32' - which is not how ESET spells it out (it should be all caps).
     
Loading...