lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050922094938.24094.qmail@securityfocus.com>
Date: 22 Sep 2005 09:49:38 -0000
From: acidemon@...il.com
To: bugtraq@...urityfocus.com
Subject: Platinum Secure smartcard security bypass


========================================================
- Platinum Secure Smart Card security bypass technique -
========================================================


Vendor: http://360degreeweb.com

Vendor informed: nope...but Acer were
Impact : pretty high

Vulnerable Systems
------------------

Acer TravelMate C300
Acer TravelMate 8100

Other systems may also be affected.

========================================================

Quick Background
----------------

These Acer notebooks include a smart card reader, two smartcards and a security application called Platinum Secure. The smart card security system should prevent access to the console while the smart card is not present or when password has not been entered. This test was conducted on the aforementioned notebooks with the latest versions of the software downloaded from the Acer website and the latest BIOS upgrade.

Description of Vulnerability
----------------------------

When a user removes his smart card from the machine it activates the 'locking mechanism' and splashes a nice big picture of your soon to be rendered almost useless smart card saying "Please insert your <make of machine> Smart Card". I had to use different techniques for both notebooks as the TravelMate 8100 gave me less to work with so I will explain the method I used on either notebook.

Acer TravelMate C300 with Windows XP:

The easiest of the two. I was able to Ctrl-Esc to give me a brief one second view of the Windows Start menu. From there I was able to click on the Run button which went into the background. From there I could Alt-Tab to focus the Run box and quickly type in 'cmd' for a command prompt. (I find it's easier just to hold down Windows key and push 'R'). The command prompt would also go into the background but could be bought up (one second at a time) to the foreground by Alt-Tab'ing again. From there managed to type in "taskkill /f /im pcard.exe" (older versions may be pccard.exe) which killed the screen locking process and gave me full access to the desktop (minus the taskbar).

Acer TravelMate 8100 with Windows XP:

With this notebook I was unable to Ctrl-Esc, Alt-Tab or bring up anything that gave me the inclination that I was able to focus anything in the background. However I was able to run Internet Explorer using the very helpful Web button on the notebook. From there I could Alt-Tab or Alt-Esc and get into the filesystem. From there I browsed through to C:\Windows\System32 and ran "cmd.exe". After running that the command prompt window was statically focused and I did not need to Alt-Tab to bring it back. From there I ran "taskkill /f /im pcard.exe" and again was given access to the desktop (minus the taskbar).




Note - This is not a new vulnerability but it seems the old one hasn't been fixed properly. The original post can be found on http://www.securityfocus.com/archive/1/319219 . 

========================================================
Short term solution
-------------------

Lock the Windows desktop before removing the smartcard.

========================================================

Vendor Response
---------------

Initial reponse: "That's impossible"
Follow up response: "We are currently working on the problem."

========================================================

Disclaimer
----------

In no event shall I be liable for any damages, anytime, anywhere, ever.


Greets:
-------

luca, reapster, plunkett. HI MOM!

========================================================




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ