EMV Repeated Request for Data Buffer Overflow

Product PowaPOS, Verifone
Severity High
CVE Reference N.A.
Type EMV L2 kernel buffer overflow

Description

A buffer overflow can be induced in affected point-of-sale (POS) terminals by using the status byte in the Europay, MasterCard and Visa (EMV) communication stream to repetitively write data packets to POS memory. A certain status byte tells the POS device that more data is available to be read, which causes it to request the data from the integrated circuit card (ICC). If the ICC repeatedly provides this status byte after transmission of data, instead of the “process completed” status byte, it is possible to exceed the size of the allocated buffer on the POS terminal, causing a memory corruption. Using this technique, malicious data can be inserted into the POS device’s memory and cause code execution with full privileges.

Impact

A malicious payload can be executed on the POS terminal with full privileges via an inserted ICC.

Cause

The EMV kernel does not manage allocated memory safely and, as a result, in the case where the aforementioned status byte is used to repetitively transfer data to the POS device, program memory is overwritten.

Interim Workaround

An interim workaround is not feasible, please see the solution section below.

Solution

An EMV kernel update addressing the aforementioned memory management issue is required.

Technical details

At certain locations in an EMV communication stream, between a POS device and an ICC, the “process completed” status bytes 0x90 0x00 can be replaced with the status bytes 0x61 0xXX (where 0xXX is any value less than 0xFF). The POS terminal then responds with another request for data (up to 254 bytes) which is subsequently supplied by the ICC. The ICC then, instead of terminating this segment of data with the status bytes 0x90 00, sends the status bytes 0x61 0xXX, causing another request for data by the POS device. This process can be repeated until a buffer overflow occurs, allowing a malicious payload to potentially be loaded into the POS device’s memory in 254 byte data segments. Once the allocated buffer space is exhausted, sensitive control structures on the stack are overwritten and can be used to redirect to the malicious payload provided earlier in the communication stream. The above discussion is summarised in the following figure.

emv comm stream dia

An example of an EMV communication stream, implementing the aforementioned exploit on the PowaPIN device from PowaPOS, is shown below.

Notation used:

  • Data sent from the POS device – (-->)
  • Data sent from the ICC – (:)
  • Command header – [CLA INS P1 P2 P3]

code

No error log information is displayed on the aforementioned device. The same exploit is also performed on the Verifone VX810 POS device. The crash error log is shown in the image below.

img2

Detailed Timeline

 

DateSummary
2015-01-10 Issue discovered
2015-01-16 Issue reported to PowaPOS
2015-08-28 Issue confirmed by PowaPOS
2016-06-21 Issue reported to EMVCo
2016-07-28 Issue reported to Verifone
2016-08-06 Issue confirmed and resolved in new devices by Verifone