|Type||EMV L2 kernel buffer overflow|
A buffer overflow can be induced in affected point-of-sale (POS) terminals by using the status byte in the Europay, MasterCard and Visa (EMV) communication stream to repetitively write data packets to POS memory. A certain status byte tells the POS device that more data is available to be read, which causes it to request the data from the integrated circuit card (ICC). If the ICC repeatedly provides this status byte after transmission of data, instead of the “process completed” status byte, it is possible to exceed the size of the allocated buffer on the POS terminal, causing a memory corruption. Using this technique, malicious data can be inserted into the POS device’s memory and cause code execution with full privileges.
A malicious payload can be executed on the POS terminal with full privileges via an inserted ICC.
The EMV kernel does not manage allocated memory safely and, as a result, in the case where the aforementioned status byte is used to repetitively transfer data to the POS device, program memory is overwritten.
An interim workaround is not feasible, please see the solution section below.
An EMV kernel update addressing the aforementioned memory management issue is required.
At certain locations in an EMV communication stream, between a POS device and an ICC, the “process completed” status bytes 0x90 0x00 can be replaced with the status bytes 0x61 0xXX (where 0xXX is any value less than 0xFF). The POS terminal then responds with another request for data (up to 254 bytes) which is subsequently supplied by the ICC. The ICC then, instead of terminating this segment of data with the status bytes 0x90 00, sends the status bytes 0x61 0xXX, causing another request for data by the POS device. This process can be repeated until a buffer overflow occurs, allowing a malicious payload to potentially be loaded into the POS device’s memory in 254 byte data segments. Once the allocated buffer space is exhausted, sensitive control structures on the stack are overwritten and can be used to redirect to the malicious payload provided earlier in the communication stream. The above discussion is summarised in the following figure.
An example of an EMV communication stream, implementing the aforementioned exploit on the PowaPIN device from PowaPOS, is shown below.
No error log information is displayed on the aforementioned device. The same exploit is also performed on the Verifone VX810 POS device. The crash error log is shown in the image below.
|2015-01-16||Issue reported to PowaPOS|
|2015-08-28||Issue confirmed by PowaPOS|
|2016-06-21||Issue reported to EMVCo|
|2016-07-28||Issue reported to Verifone|
|2016-08-06||Issue confirmed and resolved in new devices by Verifone|