The classic spy movie hacking sequence: The spy inserts a magic smartcard provided by the agency technicians into the enemy's computer, ...the screen unlocks... What we all laughed about is possible!
Smartcards are secure and trustworthy. This is the idea smartcard driver developers have in mind when developing drivers and smartcard software. The work presented in this talk not only challenges, but crushes this assumption by attacking smartcard drivers using malicious smartcards.
A fuzzing framework for *nix and Windows is presented along with some interesting bugs found by auditing and fuzzing smartcard drivers and middleware. Among them classic stack and heap buffer overflows, double frees, but also a replay attack against smartcard authentication.
Since smartcards are used in the authentication process, a lot of vulnerabilities can be triggered by an unauthenticated user, in code running with high privileges. During the authors research, bugs were discovered in OpenSC (EPass, PIV, OpenPGP, CAC, Cryptoflex,...), YubiKey drivers, pam_p11, pam_pkc11, Apple smartcardservices...
Eric Sesterhenn is working as an IT Security consultant for more than 15 years, working mostly in the areas of source code auditing and penetration testing. His experience in the field includes: Identified vulnerabilities in various software projects including the Linux kernel, X.org and multiple IoT Operating Systems Speaker at nullcon 2018, Internet of Teens (Issues in IoT Operating Systems) Speaker at 30C3 about fingerprinting Java web-applications (lightning talk). Part of the winning team of the Deutsche Post Security Cup 2013.