Hello everyone,
Today we’re going to talk about the vulnerability that I found on ESET a few months ago. The vulnerability has been fixed and I’ve permission to make it public so we can talk freely!
Before I talk about the vulnerability, my purpose in preparing this write-up won’t be to explain IDOR, so I’ll assume you already have a basic info of IDOR.
So let’s get started!
Basic Recon
I’ll keep this part pretty short because there’s nothing extra. Shortly, I was examining the subdomains in ESET services and I arrived at the following type of application panel.
Let the war begin!
I signed up to the application and tried to understand what was going on. There wasn’t much, basically the following message caught my attention.
It looked like a welcome message. I opened the Intercept and tried to delete the message directly by clicking the cross button.
I came across this type of request. At first glance, nothing caught my attention. I didn’t see any object id. I sent the request and the message was deleted successfully. I couldn’t even get close to IDOR.
After a few minutes I reviewed the request again and the parameter “mainTable_selection=” was empty. I thought it was about object ids but I wasn’t sure. I had successfully submitted the request again and the message had deleted but it looked like I wasn’t selected any objects.
Here is the fine line of IDOR!
I went back to the application panel to find any object id, I was looking for a property where I could change the request. Of course I wasn’t sure if there was an IDOR here, I was just trying my luck.
And yes, you noticed, right? I repeated the deletion process to see what I was missing and then I noticed it too.
I resubmitted the request and looked at what would change.
I immediately created a victim user and replaced the object id with its welcome message. My victim’s welcome message has been deleted, BINGO! Email numbering was increasing between certain values, which meant that all emails in the system can be deleted.
The message select button was working directly in the backend with the parameter “mainTable_selection=” and didn’t really check which user the object belonged to.
I reported this vulnerability to the ESET Security Team and was rewarded with SWAG. I hope you enjoyed!
Reported — December 5, 2020
Rewarded — December 23, 2020
Fixed— April 27, 2021