Platinum Secure smartcard security bypass
========================================================
- Platinum Secure Smart Card security bypass technique -
========================================================
Vendor: http://360degreeweb.com
Vendor informed: nope...but Acer were
Impact : pretty high
Vulnerable Systems
------------------
Acer TravelMate C300
Acer TravelMate 8100
Other systems may also be affected.
========================================================
Quick Background
----------------
These Acer notebooks include a smart card reader, two smartcards and a security
application called Platinum Secure. The smart card security system should
prevent access to the console while the smart card is not present or when
password has not been entered. This test was conducted on the aforementioned
notebooks with the latest versions of the software downloaded from the Acer
website and the latest BIOS upgrade.
Description of Vulnerability
----------------------------
When a user removes his smart card from the machine it activates the 'locking
mechanism' and splashes a nice big picture of your soon to be rendered almost
useless smart card saying "Please insert your <make of machine> Smart Card". I
had to use different techniques for both notebooks as the TravelMate 8100 gave
me less to work with so I will explain the method I used on either notebook.
Acer TravelMate C300 with Windows XP:
The easiest of the two. I was able to Ctrl-Esc to give me a brief one second
view of the Windows Start menu. From there I was able to click on the Run
button which went into the background. From there I could Alt-Tab to focus the
Run box and quickly type in 'cmd' for a command prompt. (I find it's easier
just to hold down Windows key and push 'R'). The command prompt would also go
into the background but could be bought up (one second at a time) to the
foreground by Alt-Tab'ing again. From there managed to type in "taskkill /f /im
pcard.exe" (older versions may be pccard.exe) which killed the screen locking
process and gave me full access to the desktop (minus the taskbar).
Acer TravelMate 8100 with Windows XP:
With this notebook I was unable to Ctrl-Esc, Alt-Tab or bring up anything that
gave me the inclination that I was able to focus anything in the background.
However I was able to run Internet Explorer using the very helpful Web button
on the notebook. From there I could Alt-Tab or Alt-Esc and get into the
filesystem. From there I browsed through to C:\Windows\System32 and ran
"cmd.exe". After running that the command prompt window was statically focused
and I did not need to Alt-Tab to bring it back. From there I ran "taskkill /f
/im pcard.exe" and again was given access to the desktop (minus the taskbar).
Note - This is not a new vulnerability but it seems the old one hasn't been
fixed properly. The original post can be found on
http://www.securityfocus.com/archive/1/319219 .
========================================================
Short term solution
-------------------
Lock the Windows desktop before removing the smartcard.
========================================================
Vendor Response
---------------
Initial reponse: "That's impossible"
Follow up response: "We are currently working on the problem."
========================================================
Disclaimer
----------
In no event shall I be liable for any damages, anytime, anywhere, ever.
Greets:
-------
luca, reapster, plunkett. HI MOM!
========================================================