Menu
▾
▴
Re: [Opensc-devel] Preventing malformed ODFs causing segfaults.
|
From: Frank M. <mo...@in...> - 2015-06-04 09:16:30
|
We've discussed this kind of issue earlier. Yes, we need to fix those issues if we can. In the past couple of month we fixed a lot of issues that were discovered by static code analysis, for this reason. However, we still believe that a malicious card requires more or less physical access to the machine. With this premise there are a number of problems arising that are currently more likely to be exploited.
Am 3. Juni 2015 18:41:47 MESZ, schrieb Douglas E Engert <dee...@gm...>:
>Good point. A card to designed to cause a segfault... We really do
>need to make sure we don't segfault.
>
>On 6/3/2015 3:44 AM, Dirk-Willem van Gulik wrote:
>>
>>> On 02 Jun 2015, at 18:36, Douglas E Engert <dee...@gm...
><mailto:dee...@gm...>> wrote:
>>>
>>>
>>>
>>> On 6/2/2015 10:32 AM, Dirk-Willem van Gulik wrote:
>>>> We seem to be a bit trusting of the cruft which can be on a card;
>found I needed below to stop naughty cards
>>>> from causing segfaults (and hence locking subsequent users out of
>their desktops (a bit of fragility outside OpenSC)).
>>>>
>>>> Just wondering - is this sort of thing common (and should I scan
>most of the code for this) — or have i found a rare case ?
>>>
>>> It depends. The part of OpenSC that tries to determine the type of
>card, would be more likely to run into "naughty cards"
>>> or cards that don't follow all the standards or cards that have not
>been initialized as expected.
>>>
>>> Cards that may have worked with older versions of OpenSC, may not
>work with newer versions, as newer code
>>> may not have been tested against the older cards For example There
>are cards that emulate PKCS#15 and newer code
>>> added to OpenSC for example the sc_enum_apps() may not be emulated
>correctly. For example the ODF in older code
>>> does not need to be emulated. Not clear if it does now.
>>>
>>> Older versions of cards that may have worked before. But newer
>versions of the card or the files on new cards
>>> are not the same as before because the card issuer changed
>something.
>>>
>>> Can you say what cards caused these problems?
>>
>> We dove into this because we saw a card specifically designed to make
>(login) daemons segfault (and hence fall back to lesser systems due to
>non ideal designed processes).
>>
>> This is basically an organisational/procedure attack - where a DoS
>leads to the human/apparatus complex to do unsafe things to tide over;
>and the exploit is then there; not in OpenSC per-se.
>>
>> By pure co-incidence (going through old logs) we discovered that
>various AET cards; including a card issued to most Dutch civil servants
>also causes pretty much all opensc tools (and pkcs11/15) to
>> segfault.
>>
>> In this case it is more ‘silly’ — cards respond to queries with a:
>>
>> {
>> (char []) "I am the SafeSign Applet of A.E.T. Europe B.V. please
>authenticate yourself\n”,
>> 0x90, 0x00
>> }
>>
>> that confuses OpenSC enough to segfault in various places on mere
>insertion/query.
>>
>> Dw.
>>
>>>
>>>>
>>>> Dw.
>>>>
>>>>
>https://github.com/OpenSC/OpenSC/commit/1061b5ded0edbc6a1f2cb4fd599b7c950ffe18ff
>>>>
>>>> src/libopensc/dir.c
>>>> @@ -149,6 +149,10 @@ int sc_enum_apps(sc_card_t *card)
>>>> r = sc_select_file(card, &path, &card->ef_dir);
>>>> LOG_TEST_RET(ctx, r, "Cannot select EF.DIR file");
>>>>
>>>> +if (card->ef_dir == NULL) {
>>>> +LOG_TEST_RET(ctx, SC_ERROR_INVALID_CARD, "EF(DIR) nonexistant.");
>>>> +}
>>>> +
>>>> if (card->ef_dir->type != SC_FILE_TYPE_WORKING_EF) {
>>>> sc_file_free(card->ef_dir);
>>>> card->ef_dir = NULL;
>>>>
>>>> src/libopensc/pkcs15.c
>>>> @@ -1044,6 +1044,10 @@ sc_pkcs15_bind_internal(struct
>sc_pkcs15_card *p15card, struct sc_aid *aid)
>>>> sc_log(ctx, "Cannot make absolute path to EF(ODF); error:%i", err);
>>>> goto end;
>>>> }
>>>> +if (p15card->file_odf == NULL) {
>>>> +sc_log(ctx, "After making absolute path to EF(ODF) still no
>odf.");
>>>> +goto end;
>>>> +}
>>>> sc_log(ctx, "absolute path to EF(ODF) %s",
>sc_print_path(&tmppath));
>>>> err = sc_select_file(card, &tmppath, &p15card->file_odf);
>>>> }
>>>> @@ -1059,6 +1063,8 @@ sc_pkcs15_bind_internal(struct sc_pkcs15_card
>*p15card, struct sc_aid *aid)
>>>> goto end;
>>>> }
>>>>
>>>> +assert(p15card->file_odf);
>>>> +
>>>> len = p15card->file_odf->size;
>>>> if (!len) {
>>>> sc_log(ctx, "EF(ODF) is empty”);
>>>>
>>>>
>>>>
>>>>
>------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> Opensc-devel mailing list
>>>> Ope...@li...
><mailto:Ope...@li...>
>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>
>>>
>>> --
>>>
>>> Douglas E. Engert <DEE...@gm... <mailto:DEE...@gm...>>
>>>
>>>
>>>
>------------------------------------------------------------------------------
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> Ope...@li...
><mailto:Ope...@li...>
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>--
>
> Douglas E. Engert <DEE...@gm...>
>
>
>------------------------------------------------------------------------------
>_______________________________________________
>Opensc-devel mailing list
>Ope...@li...
>https://lists.sourceforge.net/lists/listinfo/opensc-devel
--
Frank Morgner |
