santomet/pv204_project

๐ŸŸ  Security Vulnerability: Message to terminate session has no effect, last session can be reused

mvondracek opened this issue ยท 0 comments

mvondracek commented
  • Severity: MEDIUM
  • Vulnerability Class: lost of perfect forward secrecy
  • Description: Designed protocol defines APDU with INS_END_SESSION instruction which is intended to be used by the user to terminate current secure session and clear all secrets. However, when the applet receives this instruction, it does not terminate the session and it fails to securely erase session key. We provide example code which sends instruction to terminate current session and they demonstrates that it is possible to reuse last session. Example is is available in our forked repository. This way, the attacker can force the applet to use the old encryption key, which gives the attacker a much longer window for exploitation if the old key is compromised. Similar to #10.
  • Remediation: The applet must handle INS_END_SESSION instruction correctly and terminate current session. Session key must be securely deleted so it cannot be reused.
  • Location: applets/AlmostSecureApplet.java:295

Discovered by Team Emerald.

Please see example

send CLA_SIMPLEAPPLET(INS_END_SESSION)
--> B0030000
--> [B0030000] 4
<-- 9000
<-- 9000 [5 ms]
session terminated
Try to reuse last session.

from

Connecting to card...getInstance of assymetric algo: 10
getInstance of assymetric algo: 10 is OK!
 Done.
--> B0010000C4035EABDD828A54D5F74704A6875268FD6866549A0EDE96712A8794C7B25B6F4A580225CFD80AAFEA44652D6BE1463EF14033D39D37DE5D21B3793977153D6A1803E2A0B202A641CCF40E9C46F8EEEEC5F0EA514EC1A9156EC6934A463A72CECB94A10316A343D13F74BD98131C58B20B673BDE60B8C2979A2732339D548FAB04A4C6AC023B77B67A39FFCB6253324CA01E2E4869DB7B8E3D3D6A732C93B6D636F73E9C35D1FA616099EC702A65AB899D92DCC1AFCB581B8E540655429E04B14C127A8670C4
--> [B0010000C4035EABDD828A54D5F74704A6875268FD6866549A0EDE96712A8794C7B25B6F4A580225CFD80AAFEA44652D6BE1463EF14033D39D37DE5D21B3793977153D6A1803E2A0B202A641CCF40E9C46F8EEEEC5F0EA514EC1A9156EC6934A463A72CECB94A10316A343D13F74BD98131C58B20B673BDE60B8C2979A2732339D548FAB04A4C6AC023B77B67A39FFCB6253324CA01E2E4869DB7B8E3D3D6A732C93B6D636F73E9C35D1FA616099EC702A65AB899D92DCC1AFCB581B8E540655429E04B14C127A8670C4] 202
<-- 020D0E9F7148E4B84E96D6D4B8909712873CB5A06B690BF54C82140F32521C84AB03648B77D5D1808DA9DB2532B3182AA3D558800345A0ED219F07EEC5DACD77822C5E94BF2492D7FB65E71F895ECD63D97CDA2FE99FC3E2EC8670F43AFA65EF14EB0292FF7046D5FD84443D04BDF60C77FEEE05F12B3B25F028737A12013F6EC7A83A02969239DFF4ABA727FA69A4768663BCCAC1EC5616218A3838CC606F1CABB9490E80DC21D9E803378FBA82F22FCE9AA2E5D416BD8AEF0304BB583FAABFAB402ABF 9000 (196)
<-- 020D0E9F7148E4B84E96D6D4B8909712873CB5A06B690BF54C82140F32521C84AB03648B77D5D1808DA9DB2532B3182AA3D558800345A0ED219F07EEC5DACD77822C5E94BF2492D7FB65E71F895ECD63D97CDA2FE99FC3E2EC8670F43AFA65EF14EB0292FF7046D5FD84443D04BDF60C77FEEE05F12B3B25F028737A12013F6EC7A83A02969239DFF4ABA727FA69A4768663BCCAC1EC5616218A3838CC606F1CABB9490E80DC21D9E803378FBA82F22FCE9AA2E5D416BD8AEF0304BB583FAABFAB402ABF 9000 (196) [78 ms]
ZKP x3 OK.
ZKP x4 OK.
--> B002000062028229BA6F9148B6256FB65FD183F839A5B4D3631B0EA1E8FF57241A4C4E49B982038A20866A2CDB712D93C5FC27A3F09A215A4B09BA76536A5FE08B51F1CB08DE780A6D2B07D5D484B13DF516F3561C3F5A4F1D4FC989393EA4F8996B1F22F3C58562
--> [B002000062028229BA6F9148B6256FB65FD183F839A5B4D3631B0EA1E8FF57241A4C4E49B982038A20866A2CDB712D93C5FC27A3F09A215A4B09BA76536A5FE08B51F1CB08DE780A6D2B07D5D484B13DF516F3561C3F5A4F1D4FC989393EA4F8996B1F22F3C58562] 104
<-- 03AD1FFB84D8CA6BC66D2DA082C84C338B2A6615139F30B93FF492D70004721153027AEE4806AE0F2D0700444E49EE873638336AEA0CE0F2BFFB2FF41E066E124CB3BCE65BE17F12953EC61F931AA2843EB90C1A3DAA422AC94535283C9757BDCF0E 9000 (98)
<-- 03AD1FFB84D8CA6BC66D2DA082C84C338B2A6615139F30B93FF492D70004721153027AEE4806AE0F2D0700444E49EE873638336AEA0CE0F2BFFB2FF41E066E124CB3BCE65BE17F12953EC61F931AA2843EB90C1A3DAA422AC94535283C9757BDCF0E 9000 (98) [45 ms]
ZKP x4*s OK.
32
Encryption - decryption for outgoing works
--> B0040000F0852D0BD671542DEE4542C3ABA2CC4CAC364421666DD2C495C0DF4348A02435F8A87DB2CA0896B67684FC4C7FBC74B278FD76BB8F12D1DA0FD5350EA76B45D1C028454A398C0CF2FB8FA784E02931A3608F6C5A65DEAD08100842474E82A7F0EC686DAF76FDA923AD0003423843C06061C6C52ED89758FD0750915D40C9ADE6FCCD4E8415AA622021A9DF7F451D352710E94A8228DE6B360505CD0392CC17E5A80DE4A9E1B1FD10E48045EBD9A07134241FB8AFEEEDDB8EDBC4F4BF6A90785A24FB1657FB0DAF16F8D9AE5560BC8F2AE38AF270759111E7FC421BA0F6247A8F85B6FB2F1B7091502FFF486C6BB1F37074F0
--> [B0040000F0852D0BD671542DEE4542C3ABA2CC4CAC364421666DD2C495C0DF4348A02435F8A87DB2CA0896B67684FC4C7FBC74B278FD76BB8F12D1DA0FD5350EA76B45D1C028454A398C0CF2FB8FA784E02931A3608F6C5A65DEAD08100842474E82A7F0EC686DAF76FDA923AD0003423843C06061C6C52ED89758FD0750915D40C9ADE6FCCD4E8415AA622021A9DF7F451D352710E94A8228DE6B360505CD0392CC17E5A80DE4A9E1B1FD10E48045EBD9A07134241FB8AFEEEDDB8EDBC4F4BF6A90785A24FB1657FB0DAF16F8D9AE5560BC8F2AE38AF270759111E7FC421BA0F6247A8F85B6FB2F1B7091502FFF486C6BB1F37074F0] 246
<-- 5F48A03456D3B8CA45127F1358FC6039A2418C055450BE538FFA4168C410C5ACE74AEE8E022ACEA48F3A49CA46804D26DC9DB53DF8BBF99921A41180A1971277F8C0FACBEDB0550D13D87178FAD4A9B209A0C896E3F951168E412F29292B915C20A75A0F5EC0F28164D6A2705FA7EB19C3C45650ACD141E64D97A9A7FBAC90DC0DB6669868C5CBD7E087EA5A1A1E7375559A7B26C32CD4A7B73A003EB659F7380CD7B476790C2CD2C702FC06A5A7250B5F2E514E603E607DA0774B8B8B023CAA67E5D9888C10F29DA820705373390E638F4B2AEC07CF584BFE523122D21DF3E36A446BC768BB7D124652501B8BD62F63 9000 (240)
<-- 5F48A03456D3B8CA45127F1358FC6039A2418C055450BE538FFA4168C410C5ACE74AEE8E022ACEA48F3A49CA46804D26DC9DB53DF8BBF99921A41180A1971277F8C0FACBEDB0550D13D87178FAD4A9B209A0C896E3F951168E412F29292B915C20A75A0F5EC0F28164D6A2705FA7EB19C3C45650ACD141E64D97A9A7FBAC90DC0DB6669868C5CBD7E087EA5A1A1E7375559A7B26C32CD4A7B73A003EB659F7380CD7B476790C2CD2C702FC06A5A7250B5F2E514E603E607DA0774B8B8B023CAA67E5D9888C10F29DA820705373390E638F4B2AEC07CF584BFE523122D21DF3E36A446BC768BB7D124652501B8BD62F63 9000 (240) [11 ms]
Hash of "whate we have got here... Is a failiure in communication":
7173CF02896E250445911B02C2E91D3FF1768E38D106761F928C3F9C773E5D4E
send CLA_SIMPLEAPPLET(INS_END_SESSION)
--> B0030000
--> [B0030000] 4
<-- 9000
<-- 9000 [5 ms]
session terminated
Try to reuse last session.
--> B0040000F09338EAA730CAA8B017982851FA749C2957F50A8E16DD2AF8DC14C32BACAA0F85A027E723ACD34311881F78394C1393AFA85B10929829BB63E5FFFCF81CF0A581ED45B1E00C687B539BC3ED306DA3ED321B5E832F35D724F6918CF45F498125B3A99AACA073E9BB62F371C48B9C56CF2DCC8769A70242175FBF19EFD19AD401BDE71097D3A82337687CF056D87553DFA37C99E90B95AC285C182F680BF63E2E6EDCB543735A9A268E76E103E6FF7656FA9AB7A9F33C2D86A81F7DB0D48A635840732C85A0F4AB0E10BAB34334487EBE3ACAD2C03D2AEAF75D72EC7EEDD5D5F77F7BBA4389A96B03E0D2F8AABFD945E5E4F0
--> [B0040000F09338EAA730CAA8B017982851FA749C2957F50A8E16DD2AF8DC14C32BACAA0F85A027E723ACD34311881F78394C1393AFA85B10929829BB63E5FFFCF81CF0A581ED45B1E00C687B539BC3ED306DA3ED321B5E832F35D724F6918CF45F498125B3A99AACA073E9BB62F371C48B9C56CF2DCC8769A70242175FBF19EFD19AD401BDE71097D3A82337687CF056D87553DFA37C99E90B95AC285C182F680BF63E2E6EDCB543735A9A268E76E103E6FF7656FA9AB7A9F33C2D86A81F7DB0D48A635840732C85A0F4AB0E10BAB34334487EBE3ACAD2C03D2AEAF75D72EC7EEDD5D5F77F7BBA4389A96B03E0D2F8AABFD945E5E4F0] 246
<-- 984AECDD9048F0AEF5C8B349CCAD0D4CD216DFC9D42B411E2A8A436CD4FAF7B1C04F1C562F06A9971D9422A140A1AB789AF90AD55D554378C2F40B4119BC4C332DB7D3E69EA9CC591F51C32A58F93B3DBCFC616E9E2E57C120A01A774755150AE211DF4C9F66E055542D5A77E91BA225C2D548AF5522685FBAC7A6E11C2A385EA2951B9817AA7C9CD57B616E07E97CBCD26FDABC6E6CB8D61AE40CE9DDF5FE4EBBE2378F0864BECDAEAF94A6A410678C052516FF3B67C6D7FAD3781CB6866F7AD11327B8A0C7F25F62E3C0005DE1139EC6FE9635FD6EB0AC39E3200BA538E5A31B98CD165B44EB48AF3F61AFEEDE69C1 9000 (240)
<-- 984AECDD9048F0AEF5C8B349CCAD0D4CD216DFC9D42B411E2A8A436CD4FAF7B1C04F1C562F06A9971D9422A140A1AB789AF90AD55D554378C2F40B4119BC4C332DB7D3E69EA9CC591F51C32A58F93B3DBCFC616E9E2E57C120A01A774755150AE211DF4C9F66E055542D5A77E91BA225C2D548AF5522685FBAC7A6E11C2A385EA2951B9817AA7C9CD57B616E07E97CBCD26FDABC6E6CB8D61AE40CE9DDF5FE4EBBE2378F0864BECDAEAF94A6A410678C052516FF3B67C6D7FAD3781CB6866F7AD11327B8A0C7F25F62E3C0005DE1139EC6FE9635FD6EB0AC39E3200BA538E5A31B98CD165B44EB48AF3F61AFEEDE69C1 9000 (240) [15 ms]
Hash of "Hej zahoreli zore na tom nasom dvooore vstavaj suhaj rychlo hore sedlaj kone motorove":
D910FEC440547216D51779DAED498A99C90DB97F8A6CA89FE8707855B79C314E
--> B0030000
--> [B0030000] 4
<-- 9000
<-- 9000 [3 ms]