HID ActivID ActivClient 7.1.0.202 Heap Spray / Denial Of Service

2018.10.27
Credit: Harrison Neal
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

HID ActivID ActivClient 7.1.0.202 may not enforce upper bounds on the size of data received from a smart card, which can lead to attacks such as memory exhaustion, or serve as a heap spraying primitive for other attacks against the software, albeit slowly. For example, when running Advanced Diagnostics with an "Oberthur ID-One PIV" smart card, part of the back and forth can look like the following: > CLA=00 INS=cb P1=3f P2=ff Lc=05 [5 data bytes] Le=00 < [the first 256 byte block of metadata and an X.509 certificate] < SW1=61 SW2=00 [the following request and response repeats as much as necessary] > CLA=00 INS=c0 P1=00 P2=00 Le=00 < [the next 256 byte block] < SW1=61 SW2=00 [the prior request and response repeats as much as necessary] > CLA=00 INS=c0 P1=00 P2=00 Le=00 < [the second to last block] < SW1=61 SW2=[number of remaining bytes in last block] > CLA=00 INS=c0 P1=00 P2=00 Le=[number of remaining bytes in last block] < [remaining bytes] < SW1=90 SW2=00 So long as a malicious card responds with SW1=61 and SW2=00, the loop above appears to continue indefinitely, with the software being unresponsive to the "Cancel" button and continuously consuming additional memory. This was tested for several hours on a Windows 10 workstation with an Omnikey 3021 smart card reader. HID may wish to have their software break the above loop (and those like it) after an excessive number of blocks have been received.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top