The different software vendors/maintainers have been informed and are working on solutions.Often these services are run with root/administrator privileges. Possible impacts of successful exploitation are: Code Execution, Crash / Denial of Service, Authentication Bypass in distinct scenarios.Attackers can use manipulated smart cards to exploit these vulnerabilities.Mostly these are from the following categories: Buffer Overflow, Out of Bounds Memory Reads/Writes and logic bugs. Various vulnerabilities were identified in the different software products.Affected smart card stacks are Yubico Piv, OpenSC, libykneomgr and the Apple Smart Card Services project. Here you go, let’s start with the facts: Facts If you are using open source smartcard drivers make sure to support the projects by donating or supporting the development. This means the attacker is not only able to login as any user, but instantly as the root-admin.įurthermore, an issue was uncovered which allows to replay smart card logins in certain cases, which is exactly the kind of attack smartcards should prevent.įor more details watch Erics Talk at defcon or beVX. This helped him uncover several memory corruptions which can be abused to gain code execution on the attacked system by just inserting a malicious smartcard into the attached card-reader. These tools allow to test the OpenSC smart card stack, and PCSC based drivers on linux as well as Winscard based smartcard drivers on Microsoft operating systems. Through extending X41’s fuzzing framework he developed several tools in order to identify security issues in the drivers. Eric decided to take a look at different open source smart card drivers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
February 2023
Categories |