lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 25 Oct 2018 11:40:01 -0400
From: Harrison Neal <hneal@...tdidibreak.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] HID ActivID ActivClient - DoS or Heap Spray via SC

HID ActivID ActivClient 7.1.0.202 may not enforce upper bounds on the size
of
data received from a smart card, which can lead to attacks such as memory
exhaustion, or serve as a heap spraying primitive for other attacks against
the
software, albeit slowly.

For example, when running Advanced Diagnostics with an "Oberthur ID-One PIV"
smart card, part of the back and forth can look like the following:



> CLA=00 INS=cb P1=3f P2=ff Lc=05 [5 data bytes] Le=00
< [the first 256 byte block of metadata and an X.509 certificate]
< SW1=61 SW2=00

[the following request and response repeats as much as necessary]

> CLA=00 INS=c0 P1=00 P2=00 Le=00
< [the next 256 byte block]
< SW1=61 SW2=00

[the prior request and response repeats as much as necessary]

> CLA=00 INS=c0 P1=00 P2=00 Le=00
< [the second to last block]
< SW1=61 SW2=[number of remaining bytes in last block]

> CLA=00 INS=c0 P1=00 P2=00 Le=[number of remaining bytes in last block]
< [remaining bytes]
< SW1=90 SW2=00



So long as a malicious card responds with SW1=61 and SW2=00, the loop above
appears to continue indefinitely, with the software being unresponsive to
the
"Cancel" button and continuously consuming additional memory. This was
tested
for several hours on a Windows 10 workstation with an Omnikey 3021 smart
card
reader.

HID may wish to have their software break the above loop (and those like it)
after an excessive number of blocks have been received.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists