From: Frank M. <mo...@in...> - 2015-06-04 09:16:30
|
We've discussed this kind of issue earlier. Yes, we need to fix those issues if we can. In the past couple of month we fixed a lot of issues that were discovered by static code analysis, for this reason. However, we still believe that a malicious card requires more or less physical access to the machine. With this premise there are a number of problems arising that are currently more likely to be exploited. Am 3. Juni 2015 18:41:47 MESZ, schrieb Douglas E Engert <dee...@gm...>: >Good point. A card to designed to cause a segfault... We really do >need to make sure we don't segfault. > >On 6/3/2015 3:44 AM, Dirk-Willem van Gulik wrote: >> >>> On 02 Jun 2015, at 18:36, Douglas E Engert <dee...@gm... ><mailto:dee...@gm...>> wrote: >>> >>> >>> >>> On 6/2/2015 10:32 AM, Dirk-Willem van Gulik wrote: >>>> We seem to be a bit trusting of the cruft which can be on a card; >found I needed below to stop naughty cards >>>> from causing segfaults (and hence locking subsequent users out of >their desktops (a bit of fragility outside OpenSC)). >>>> >>>> Just wondering - is this sort of thing common (and should I scan >most of the code for this) — or have i found a rare case ? >>> >>> It depends. The part of OpenSC that tries to determine the type of >card, would be more likely to run into "naughty cards" >>> or cards that don't follow all the standards or cards that have not >been initialized as expected. >>> >>> Cards that may have worked with older versions of OpenSC, may not >work with newer versions, as newer code >>> may not have been tested against the older cards For example There >are cards that emulate PKCS#15 and newer code >>> added to OpenSC for example the sc_enum_apps() may not be emulated >correctly. For example the ODF in older code >>> does not need to be emulated. Not clear if it does now. >>> >>> Older versions of cards that may have worked before. But newer >versions of the card or the files on new cards >>> are not the same as before because the card issuer changed >something. >>> >>> Can you say what cards caused these problems? >> >> We dove into this because we saw a card specifically designed to make >(login) daemons segfault (and hence fall back to lesser systems due to >non ideal designed processes). >> >> This is basically an organisational/procedure attack - where a DoS >leads to the human/apparatus complex to do unsafe things to tide over; >and the exploit is then there; not in OpenSC per-se. >> >> By pure co-incidence (going through old logs) we discovered that >various AET cards; including a card issued to most Dutch civil servants >also causes pretty much all opensc tools (and pkcs11/15) to >> segfault. >> >> In this case it is more ‘silly’ — cards respond to queries with a: >> >> { >> (char []) "I am the SafeSign Applet of A.E.T. Europe B.V. please >authenticate yourself\n”, >> 0x90, 0x00 >> } >> >> that confuses OpenSC enough to segfault in various places on mere >insertion/query. >> >> Dw. >> >>> >>>> >>>> Dw. >>>> >>>> >https://github.com/OpenSC/OpenSC/commit/1061b5ded0edbc6a1f2cb4fd599b7c950ffe18ff >>>> >>>> src/libopensc/dir.c >>>> @@ -149,6 +149,10 @@ int sc_enum_apps(sc_card_t *card) >>>> r = sc_select_file(card, &path, &card->ef_dir); >>>> LOG_TEST_RET(ctx, r, "Cannot select EF.DIR file"); >>>> >>>> +if (card->ef_dir == NULL) { >>>> +LOG_TEST_RET(ctx, SC_ERROR_INVALID_CARD, "EF(DIR) nonexistant."); >>>> +} >>>> + >>>> if (card->ef_dir->type != SC_FILE_TYPE_WORKING_EF) { >>>> sc_file_free(card->ef_dir); >>>> card->ef_dir = NULL; >>>> >>>> src/libopensc/pkcs15.c >>>> @@ -1044,6 +1044,10 @@ sc_pkcs15_bind_internal(struct >sc_pkcs15_card *p15card, struct sc_aid *aid) >>>> sc_log(ctx, "Cannot make absolute path to EF(ODF); error:%i", err); >>>> goto end; >>>> } >>>> +if (p15card->file_odf == NULL) { >>>> +sc_log(ctx, "After making absolute path to EF(ODF) still no >odf."); >>>> +goto end; >>>> +} >>>> sc_log(ctx, "absolute path to EF(ODF) %s", >sc_print_path(&tmppath)); >>>> err = sc_select_file(card, &tmppath, &p15card->file_odf); >>>> } >>>> @@ -1059,6 +1063,8 @@ sc_pkcs15_bind_internal(struct sc_pkcs15_card >*p15card, struct sc_aid *aid) >>>> goto end; >>>> } >>>> >>>> +assert(p15card->file_odf); >>>> + >>>> len = p15card->file_odf->size; >>>> if (!len) { >>>> sc_log(ctx, "EF(ODF) is empty”); >>>> >>>> >>>> >>>> >------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> Opensc-devel mailing list >>>> Ope...@li... ><mailto:Ope...@li...> >>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>> >>> >>> -- >>> >>> Douglas E. Engert <DEE...@gm... <mailto:DEE...@gm...>> >>> >>> >>> >------------------------------------------------------------------------------ >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... ><mailto:Ope...@li...> >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > >-- > > Douglas E. Engert <DEE...@gm...> > > >------------------------------------------------------------------------------ >_______________________________________________ >Opensc-devel mailing list >Ope...@li... >https://lists.sourceforge.net/lists/listinfo/opensc-devel -- Frank Morgner |