Vulnerabilities
Database Components
The database, or the middleware's handling of the database, is one of the areas where vulnerabilities may arise.
RFID middleware systems generally use a database to store information that is read from tags and written to them. If the middleware does not treat the data read from the tag correctly, it may be possible to trick the database into executing SQL code that is stored on the tag. This is known as SQL injection.
Normally, the tag's data should not be interpreted as code, but programming
errors in the middleware may make it possible. If the middleware inserts
the data in an SQL query, without escaping it properly, the data can modify
the query. Usually, this involves including a quote in the data, which
is interpreted by the SQL parser as ending a section of data and starting
the next section of code. The data following the quote is then interpreted
as code.
As an example, consider the following query:
|
Query 1 - Unescaped query
|
If the tag's data contains the following:
|
Exploit 1 - Simple SQL injection
|
Web-Based Components
Many middleware systems use web-based components, for example to provide a user-interface, or to query databases in different parts of the world. These web-based components may also be vulnerable to attacks.
If a web browser is used to display that from tags - either directly
or indirectly, through the database - it may be possible to abuse the dynamic
features offered by modern browsers, by including Javascript code on the
tag. An example Javascript command is shown in Exploit
2.
|
Exploit 2 - Using client-side scripting to exploit
WMF-bug
|
Another way in which web-based components may be exploited, is through
server-side includes (SSI). SSI is a technology that allows webpages to
be generated on the fly, by executing commands on the webserver when a
webpage is requested. By including SSI commands on a tag, it may be possible
to trick the webserver into executing malicious code, using SSI's exec
command, as in Exploit 3.
|
Exploit 3 - SSI exec command
|
Glue Code
The code that ties the RFID reader interface to the middleware is likely to be written in a low-level language such as C or C++. Any code written in such a language may be vulnerable to buffer overflows.
It may seem counterintuitive that RFID tags with their limited memory
could cause a buffer overflow, but this may still be possible if the middleware
expects to read only small amounts of data. Most RFID tags include information
on the amount of memory they contain. If the reader code uses this information
to determine the amount of data to read, it may read more data than expected,
causing its buffer to overflow. Simply using fixed-size tags is not enough
to prevent buffer overflows, as attackers may introduce unauthorized tags.
An example overflow is shown in Exploit
4.
Exploit 4 - Executing shell commands using a
buffer overflow
|
|||||||||||||||||||||
The actual exploit takes part in the last two rows, which are explained
below.
Table 1 - Buffer overflow details
|
If string-handling functions are used to copy the tag's data, it is
impossible to include 0-bytes in the buffer overflow, which limits the
scope of the attack. In this case, it is impossible to include addresses
in the attack, which means that it is difficult to craft code that will
run from the stack. On little-endian systems, it is still possible to do
some damage, as the string's terminating 0-byte can be used to form a single
address. This address can be used to jump to existing code, as in Exploit
5.
|
Apples' WHERE TagId='0123456789ABCDEF'-- ... \xF0\xB2\x40
Exploit 5 - Buffer overflow
|
|
|||||||||||||||
| Last modified: Thursday, 02 March 2006 19:53, CET | |||||||||||||||
