ESET Endpoint Security credentials theft

TL;DR

The vulnerability reported here allows an attacker who has a foothold in an organization using ESET to passively steal the ESET license as well as ESET License Administrator credentials (https://ela.eset.com/LicenseOwner/Converter)

Presentation

The test was conducted on a Windows 10 21h1 computer, running a ESET Endpoint Security 7.32.2041.0

nmap scan of pico.eset.com showing http support
“Use this license key to active ESET products”

Summary

Prerequisites
- A computer in the same network than your target on which you have administrator rights to use tools such as Responder or Wireshark
- Nothing else (but it is easier if your target responds to Netbios/LLMNR or has no static IPv6 DNS setup, otherwise a simple packet sniffer could do the job).
Impact
The target (individual or company) will get its licensing information stolen and the attacker can issue licenses for himself. Perhaps is there some other usage for the credentials that I didn’t identify yet. No impact for ESET company, only an impact for customers ==> Additional costs on the licenses or licenses expiration by over-usage.
Easiness
Definitely not rocket science…

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mehdi Alouache

Mehdi Alouache

11 Followers

Had to fill a bio otherwise the bio pop-up would harass me non-stop. Also, I am a security engineer currently working at RATP Smart Systems.