Known Vulernerability
Release: 7.3.8
Fixed in Release: 7.3.21 Security Patch
Description: Bypassing Precision Bridge License key validation mechanism
Reported and documented by Viraj Mota
Application Name: Precision Bridge (Thick Client)
Application Version: 7.3.8
Severity: High
Business Impact: Critical
Description:
A security vulnerability has been identified that allows an unauthorized party to circumvent the license key validation mechanism. This exploit enables the attacker to employ the same license key on multiple systems, thereby potentially compromising the integrity of the licensing system and causing licensing violations. An attacker able to chain the vulnerabilities of disclosing information of Victim MAC ID to bypassing MAC ID validation.
Note:
The license key was applied for activation on the specific server (MAC ID: 168C47*****), and License key is mapped with Victim MAC ID i.e.:168C47******.
Let’s assume, we will call Attacker server as A & Victim server as B.
Steps to reproduce:
Step 1: Notice that attacker able to extract the license key from memory raw data using Process Hacker tool.
Javaw.exe -> properties -> Memory -> Strings -> Filter
Note: Attacker will use above disclosed license key for further attack chain.
Step 2: Notice the error when Attacker try to insert the “B” system license key to “A” system.
Here, it was observed that attacker not able to use the same license on another system due to validation where it is checking the HOST ID/MAC ID with license key.
Notice that in the error message, MAC ID of A system is disclosed.
Error Message: Licensed Host ID was not found on this machine [168C4*******]
Step 3: Using previous disclosed MAC ID, Attacker could manually modify the value of B Machine MAC ID.
Device Manager -> Ethernet Connection -> Locally Administered Address -> Insert value. Disable other adaptors for a while.
Once changes are done, confirm the MAC ID is changed to A. If it is not yet change, just restart the attacker machine once.
Step 4: Notice that this time License key is successfully activated on B server as shown in below screenshot.
To further extend, the same attack chain is applicable to Trail License as well as PAID License
Recommendation:
Avoid disclosing sensitive information in error message. Use custom/generic error message.
Activate the product license once within the system. For another same license key activation, validate the user system details.
Revoke and Reissue: Invalidate the license key associated with the victim server and issue a new, unique license key to prevent further unauthorized use.
Implement Stronger License Key Validation: Enhance the license key validation mechanism to make it more resistant to exploitation, including measures like encryption or hardware-based validation.