PHP app Licensing Faux-pas
One of the php web applications we use in the office requires a license to work, it locks its license to the hostname and ip address of the server on which it’s run. When the license key is first entered it phones home to set the hostname and ip address on the licensing server and then stores a valid hash of the license.
We recently restructured our network and changed the ip address thus causing the app to complain the license was invalid, deleting the licensing file caused it to talk with the licensing server again but it was no use the licensing server still held the old ip address which was no longer correct. At this point I sent an e-mail off to their customer support team to get the information changed.
However, I couldn’t resist taking a quick peek under the hood. To their credit the app is largely open source and readable except for the code that manages the license which is encrypted. I removed the license file, fired up wireshark which logged the following conversation to their license server (anonymised to protect the guilty):-
GET /XXXXXX.php?license_key=Base64String&host_name=?Base64String& host_ip=Base64String
Which generated the following reply:-
On the face of it this seems quite easy to attack given it sends the current hostname/ip to the licensing server it’d be a trivial PHP script to send back what we assume the app would want to see:-
$key = base64_decode(urldecode($_GET['license_key'])); $host = base64_decode(urldecode($_GET['host_name'])); $ip = base64_decode(urldecode($_GET['host_ip'])); echo "$key|$host|$ip";
All that remains to do is set the script up on our server, and add an entry into our /etc/hosts file so that the licensing server domain name now points at our server. Once done after removing the license file I hit refresh and surprise surprise the app accepted the license response and things continued as normal.
This is particularly weak scheme since it doesn’t even run over SSL so capturing with wireshark is trivial. The other fundamental problem is that the class which converses with the licensing server is not encrypted so that would represent another point of attack which wouldn’t require setting up a fake licensing server – just hijack the response methods.
To their credit the license key itself is validated using a hash to determine what level of features you have access to but once you’ve bought one key you are then able to apply the methods above to copy the key to as many different locations as you wish.
Any comments identifying the application in question will be removed or censored, this is not an aid to bypassing licensing requirements more a discussion of the security implications of how this particular method was implemented.