Security researcher Eric Sesterhenn of X41 D-SEC GmbH has unearthed a number of vulnerabilities in several smart card drivers, some of which can allow attackers to log into the target system without valid credentials and achieve root/admin privileges.
“A lot of attacks against smart cards have been performed in the past but not much work has focused on hacking the driver side of the smart card stack [the piece of software that interacts with chip cards when a card is inserted into reader]. Smartcard drivers present a very interesting target from the attackers point of view since they contain multiple parsers and usually run with high privileges (e.g. root on linux systems),” Sesterhenn pointed out.
As the company’s CEO Markus Vervier noted, the potential for abuse of these vulnerabilities is frightening – (vulnerable) smart card software stack implementations are used in ATMs, door locks and so on.
Sesterhenn tested a number of open source smart card drivers developed by Yubico, OpenSC and the Apple Smart Card Services project.
He extended the company’s fuzzing framework and developed several tools that allowed him to test the OpenSC smart card stack, PCSC-based drivers on Linux and Winscard based smartcard drivers on Microsoft operating systems.
Most of the vulnerabilities he discovered are buffer overflows, out of bounds memory reads/writes, and logic bugs and successful exploitation of some of them can lead to code execution, DoS, and authentication bypass.
The flaws can be exploited via malicious smartcards.
All of the vendors and maintainers have been informed and some fixes have already been released (for Yubico PIV, the Apple Smart Card Services components).
The vulnerable libykneomgr library (used by Yubico) won’t be updated because it’s deprecated, and OpenSC has not yet provided fixes for OpenSC and the pam-pkcs11 library, so X41 has decided to release temporary bugfixes themselves.
Sesterhenn has presented his research at this year’s edition of DEF CON in Las Vegas.