The smart card stack is the piece of software on a computer system that interacts with smart cards (aka chip cards) when a card is inserted into a card reader. Imagine breaking into an IT-system by just inserting a manipulated card.
At X41 we are always looking for interesting targets to play with and to test out new attack vectors. Our researcher Eric Sesterhenn started looking into smart card security, since smart cards are associated with a very high level of trust and are often used in the authentication process. Therefore, attacks against a smartcard or the smartcard stack would allow an attacker to get a high privilege level quickly.
A lot of attacks against smart cards have been performed in the past (see https://www.youtube.com/watch?v=62DGIUpscnY) but noch much work has focused on hacking the driver side of the smart card stack. Smartcard drivers present a very interesting target from the attackers point of view since they contain multiple parsers and usually run with high privileges (e.g. root on linux systems).
Eric decided to take a look at different open source smart card drivers. Through extending X41’s fuzzing framework he developed several tools in order to identify security issues in the drivers. These tools allow to test the OpenSC smart card stack, and PCSC based drivers on linux as well as Winscard based smartcard drivers on Microsoft operating systems. This helped him uncover several memory corruptions which can be abused to gain code execution on the attacked system by just inserting a malicious smartcard into the attached card-reader. This means the attacker is not only able to login as any user, but instantly as the root-admin.
Furthermore, an issue was uncovered which allows to replay smart card logins in certain cases, which is exactly the kind of attack smartcards should prevent.
For more details watch Erics Talk at defcon or beVX. If you are using open source smartcard drivers make sure to support the projects by donating or supporting the development.
Here you go, let’s start with the facts:
Here are the detailed advisories:
X41 worked with the affected vendors to create and release patches that fix the discovered issues. Since a fixed version is not officially available in case of OpenSC yet, X41 decided to make the following repositories including fixes public:
Sure, can do! Just send us an email with “I want to know more about your fuzzing services!” in it to email@example.com and we will provide some extra information to you. You can also ask for the link to the tools used for the smartcard driver fuzzing.