Known Vulernerability

Release: 7.3.8

Fixed in Release: 7.3.21 Security Patch

Description: Bypassing Precision Bridge License key validation mechanism

Reported and documented by Viraj Mota

Application Name: Precision Bridge (Thick Client)

Application Version: 7.3.8

Severity: High

Business Impact: Critical 

Description

A security vulnerability has been identified that allows an unauthorized party to circumvent the license key validation mechanism. This exploit enables the attacker to employ the same license key on multiple systems, thereby potentially compromising the integrity of the licensing system and causing licensing violations. An attacker able to chain the vulnerabilities of disclosing information of Victim MAC ID to bypassing MAC ID validation.


Note:

The license key was applied for activation on the specific server (MAC ID: 168C47*****), and License key is mapped with Victim MAC ID i.e.:168C47******. 

Let’s assume, we will call Attacker server as A & Victim server as B.


Steps to reproduce:

Step 1: Notice that attacker able to extract the license key from memory raw data using Process Hacker tool. 

Javaw.exe -> properties -> Memory -> Strings -> Filter 

Note: Attacker will use above disclosed license key for further attack chain.

Step 2: Notice the error when Attacker try to insert the “B” system license key to “A” system.

 Here, it was observed that attacker not able to use the same license on another system due to validation where it is checking the HOST ID/MAC ID with license key.

Notice that in the error message, MAC ID of A system is disclosed.

Error Message: Licensed Host ID was not found on this machine [168C4*******]

Step 3: Using previous disclosed MAC ID, Attacker could manually modify the value of B Machine MAC ID.

Device Manager -> Ethernet Connection -> Locally Administered Address -> Insert value. Disable other adaptors for a while.


Once changes are done, confirm the MAC ID is changed to A. If it is not yet change, just restart the attacker machine once.


Step 4: Notice that this time License key is successfully activated on B server as shown in below screenshot.


To further extend, the same attack chain is applicable to Trail License as well as PAID License

Recommendation

Avoid disclosing sensitive information in error message. Use custom/generic error message.

Activate the product license once within the system. For another same license key activation, validate the user system details.

Revoke and Reissue: Invalidate the license key associated with the victim server and issue a new, unique license key to prevent further unauthorized use.

Implement Stronger License Key Validation: Enhance the license key validation mechanism to make it more resistant to exploitation, including measures like encryption or hardware-based validation.

















 Website Usage       Privacy Policy

Copyright 2015-2024 Service Management Integrations Limited. All Rights Reserved.

ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. SAP is the registered trademark of SAP SE.  BMC, Remedy, Helix and Remedyforce are registered trademarks of BMC Software Inc.  SQL Server, Sharepoint and associated logos are trademarks of Microsoft.  Oracle and Java are registered trademarks of Oracle and/or its affiliates. Salesforce is the trademark of Salesforce.com Inc. Precision Bridge is not offered, sponsored or endorsed by Salesforce. Jira is the registered trademark of Atlassian. RSA Archer is the registered trademark of RSA. Cherwell is the registered trademark of Cherwell Software LLC. Other names may be trademarks of their respective owners.