-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-005 Multiple Vulnerabilities in Apple smartcardservices =================================================== Overview - -------- Confirmed Affected Versions: e3eb96a6eff9d02497a51b3c155a10fa5989021f Confirmed Patched Versions: 8eef01a5e218ae78cc358de32213b50a601662de Vendor: Apple Vendor URL: https://smartcardservices.github.io/ Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-005-smartcardservices/ Summary and Impact - ------------------ Attackers with local access can exploit security issues in the smartcard driver. These result in memory corruptions, which might lead to code execution. Since smartcards can be used for authentication, the vulnerabilities may allow an attacker to login to the system without valid credentials as any user. X41 did not perform a full test or audit on the software. Product Description - ------------------- The Smart Card Services project is comprised of several components which, when combined, provide the necessary abstraction layer and integration of smart cards into Apple’s CDSA implementation. Stack based buffer overflow =========================== Severity Rating: Medium Vector: APDU Response CVE: CVE-2018-4300 CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact - ------------------ In file Tokend/CAC/CACRecord.cpp the function CACCertificateRecord::getDataAttribute() might overwrite the value certificate and possibly other stack data, if a smartcard provides malicious data. {% highlight c++ %} unsigned char command[] = { 0x80, 0x36, 0x00, 0x00, 0x64 }; unsigned char result[MAXBUFFERSIZE]; sizet resultLength = sizeof(result); uint8 certificate[CACMAXSIZECERT]; uint8 uncompressed[CACMAXSIZECERT]; sizet certificateLength = 0; try { PCSC::Transaction (cacToken); cacToken.select(mApplication); uint32t cacreturn; do { cacreturn = cacToken.exchangeAPDU(command, sizeof(command), result, resultLength); if ((cacreturn & 0xFF00) != 0x6300) CACError::check(cacreturn); sizet requested = command[4]; if (resultLength != requested + 2) PCSC::Error::throwMe(SCARDEPROTOMISMATCH); memcpy(certificate + certificateLength, result, resultLength - 2); certificateLength += resultLength - 2; // Number of bytes to fetch next time around is in the last byte // returned. command[4] = cacreturn & 0xFF; } while ((cacreturn & 0xFF00) == 0x6300); } catch (...) { return NULL; } {% endhighlight %} As long as the smartcard returns a return code of 0x63FF, more data is copied into the certificate buffer, causing a stack based overflow. A malicious smartcard is able to control all of the overflowed bytes. Workarounds - ----------- None Stack based buffer overflow with limited input ============================================== Severity Rating: Medium Vector: APDU Response CVE: CVE-2018-4301 CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact - ------------------ In file Tokend/PKCS11/GemaltoKeyHandle.cpp the function GemaltoPrivateKeyRecord::computeDecrypt() might overwrite the value strData if the supplied dataLength is too big. {% highlight c++ %} void GemaltoPrivateKeyRecord::computeDecrypt(GemaltoToken &gemaltoToken, CKULONG mech, const AccessCredentials *cred, unsigned char *data, sizet dataLength, unsigned char output, size_t &outputLength) { GemaltoToken::log("\nGemaltoPrivateKeyRecord::computeDecrypt <BEGIN>\n"); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - mechanism <%lu>\n", mech); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - cred <%p>\n", cred); char strData[6000]; memset(strData, '\0', sizeof(strData)); char str = strData; for (size_t i=0; i<dataLength; i++) { str += sprintf(str, "%02x ", data[i]); } GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - dataLength <%lu> - data <%s>\n", dataLength, strData); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - output <%p>\n", output); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - outputLength <%lu>\n", outputLength); {% endhighlight %} The attacker might control the data which is to be decrypted, but exploitation is limited by the sprintf() format string. Workarounds - ----------- None Timeline ======== 2018-02-03 Issues found 2018-05-22 Vendor contacted 2018-05-22 Automated vendor reply 2018-05-23 Personal vendor reply 2018-06-05 Requesting technical feedback from the vendor 2018-06-22 Vendor states that the bugs are fixed in public git 2018-07-12 CVE IDs assigned 2018-08-03 https://smartcardservices.github.io/security/ updated 2018-08-11 Advisory released - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3ScACgkQo5Klpg50 CxCRNQ/+I+0oXn6oWXNARh+qU+fBxuUx8ydAIgDvEeBQddHAWaHQpVzkE7xgSZbg wUsmCMGEvAd6Jvfc4rH1gHy3jHl4zdLs7XDSslYUC3hc+BgsfvSR078+zNzzZ1yX 7Fe4vpq2Oep4Vbq2Y8wBrh5zui4PoS2afFRHKY5KaEKuzfvQGOS5WcKdFwm0WZNB 4l+b3ie/v2pBA7/YglYACyNkZU8bsNDAumuVeMP5MFdT0S88eE4hCwo3QJ1GurR5 4L5B+QDUwbMCA4pgH5ifOpdgDtHTLnYvoIKZGPT8Vu7lbjlHCdFKOjw52aiBqaHo iac/RBE8EzWjmeqE9UbHB6U0PeFdWbjVGhlPNBn1wErwyj18hK2rZRIJR0kGdBXU +1SXhxYbR4a2pB4VQcIpqWSQqgMe3IwoXIPpY5IIZwV/StjZ6/mnRMxZgiF7JnPQ OgI/F2AWFryJWtEtQ6gXAGEE2dkInVALo0ym509d5gRkkfAcoJXpSM3oa3BcOanV DJ3tMIE0H8UKXwL3EvRn02TvuZpbtvSDUyZniBl9vl5FMQJCK8Zh++jX9dOvplsR a/Ytuxt4KWFtuzU/gaQ5BjBHS80m9M7HJzMMohYY60Yyr4aczZxd8/8lZpggMNKE gDrded2INA+9ybxlcnWpSTIoD+Cl034kCqOWcjVzWW6/tYIiN+Q= =9tdn -----END PGP SIGNATURE-----
