<<< Date Index >>>     <<< Thread Index >>>

Platinum Secure smartcard security bypass



========================================================
- Platinum Secure Smart Card security bypass technique -
========================================================


Vendor: http://360degreeweb.com

Vendor informed: nope...but Acer were
Impact : pretty high

Vulnerable Systems
------------------

Acer TravelMate C300
Acer TravelMate 8100

Other systems may also be affected.

========================================================

Quick Background
----------------

These Acer notebooks include a smart card reader, two smartcards and a security 
application called Platinum Secure. The smart card security system should 
prevent access to the console while the smart card is not present or when 
password has not been entered. This test was conducted on the aforementioned 
notebooks with the latest versions of the software downloaded from the Acer 
website and the latest BIOS upgrade.

Description of Vulnerability
----------------------------

When a user removes his smart card from the machine it activates the 'locking 
mechanism' and splashes a nice big picture of your soon to be rendered almost 
useless smart card saying "Please insert your <make of machine> Smart Card". I 
had to use different techniques for both notebooks as the TravelMate 8100 gave 
me less to work with so I will explain the method I used on either notebook.

Acer TravelMate C300 with Windows XP:

The easiest of the two. I was able to Ctrl-Esc to give me a brief one second 
view of the Windows Start menu. From there I was able to click on the Run 
button which went into the background. From there I could Alt-Tab to focus the 
Run box and quickly type in 'cmd' for a command prompt. (I find it's easier 
just to hold down Windows key and push 'R'). The command prompt would also go 
into the background but could be bought up (one second at a time) to the 
foreground by Alt-Tab'ing again. From there managed to type in "taskkill /f /im 
pcard.exe" (older versions may be pccard.exe) which killed the screen locking 
process and gave me full access to the desktop (minus the taskbar).

Acer TravelMate 8100 with Windows XP:

With this notebook I was unable to Ctrl-Esc, Alt-Tab or bring up anything that 
gave me the inclination that I was able to focus anything in the background. 
However I was able to run Internet Explorer using the very helpful Web button 
on the notebook. From there I could Alt-Tab or Alt-Esc and get into the 
filesystem. From there I browsed through to C:\Windows\System32 and ran 
"cmd.exe". After running that the command prompt window was statically focused 
and I did not need to Alt-Tab to bring it back. From there I ran "taskkill /f 
/im pcard.exe" and again was given access to the desktop (minus the taskbar).




Note - This is not a new vulnerability but it seems the old one hasn't been 
fixed properly. The original post can be found on 
http://www.securityfocus.com/archive/1/319219 . 

========================================================
Short term solution
-------------------

Lock the Windows desktop before removing the smartcard.

========================================================

Vendor Response
---------------

Initial reponse: "That's impossible"
Follow up response: "We are currently working on the problem."

========================================================

Disclaimer
----------

In no event shall I be liable for any damages, anytime, anywhere, ever.


Greets:
-------

luca, reapster, plunkett. HI MOM!

========================================================