Peter Wu discovered that a use-after-free in the pscd PC/SC daemon of PCSC-Lite might result in denial of service or potentially privilege escalation.
I worked with Peter Wu to review and apply his proposed patches. The problem is already fixed in version 1.8.20 of pcsc-lite released 30th December 2016. You should update your pcsc-lite or get a fixed version from your GNU/Linux distribution.
CVE-2016-10109The CVE is not yet public from Common Vulnerabilities and Exposures page CVE-2016-10109 but you can get a copy of the CVE creation request from the oss-sec mailing list archive at CVE Request: pcsc-lite use-after-free and double-free. Bellow is a re-formatted version:
From: Peter Wu
Date: Tue, 3 Jan 2017 13:06:42 +0100
PCSC-Lite >= 1.6.0, < 1.8.20
PCSC-Lite is a middleware to access a smart card using the SCard API (PC/SC). It can be used with GnuPG, OpenSC and others for hardware like the Nitrokey and Yubikey. These software use a client library (libpcsclite) which communicate with a daemon (pcscd) that actually accesses the hardware.
The SCardReleaseContext function normally releases resources associated with the given handle (including "cardsList") and clients should cease using this handle. A malicious client can however make the daemon invoke SCardReleaseContext and continue issuing other commands that use "cardsList", resulting in a use-after-free. When SCardReleaseContext is invoked multiple times, it additionally results in a double-free of "cardsList".
The issue allows a local attacker to cause a Denial of Service, but can potentially result in Privilege Escalation since the daemon is running as root while any local user can connect to the Unix socket.
Fixed by patch "SCardReleaseContext: prevent use-after-free of cardsList" which is released with pcsc-lite 1.8.20 on 30 December 2016.
This issue was discovered and fixed by Peter Wu (peter () lekensteyn nl).
The issue is confirmed for:
- Arch Linux (1.8.18-1)
- CentOS 7 (1.8.8-6.el7)
- Debian Jessie (1.8.13-1)
$ python pcscd-doublefree-poc.py run/pcscd.comm [*] Sending SCARD_RELEASE_CONTEXT [*] Request succeeded, possible vulnerable [*] Sending SCARD_RELEASE_CONTEXT (2) [+] Daemon crashed, it is vulnerable! $ sbin/pcscd --foreground --debug ... 00000167 winscard_svc.c:337:ContextThread() Authorized PC/SC client 00000011 winscard_svc.c:341:ContextThread() Thread is started: dwClientID=6, threadContext @0x610000007f40 00000009 winscard_svc.c:359:ContextThread() Received command: RELEASE_CONTEXT from client 6 00000008 winscard.c:226:SCardReleaseContext() Releasing Context: 0x0 00000008 winscard_svc.c:470:ContextThread() RELEASE_CONTEXT rv=0x0 for client 6 00000088 winscard_svc.c:359:ContextThread() Received command: RELEASE_CONTEXT from client 6 00000012 winscard.c:226:SCardReleaseContext() Releasing Context: 0x0 ================================================================= ==11540==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000d728 at pc 0x000000410490 bp 0x7f34ab4dd920 sp 0x7f34ab4dd910 READ of size 8 at 0x60300000d728 thread T2 #0 0x41048f in list_clear src/simclist.c:634 #1 0x4108ba in list_destroy src/simclist.c:303 #2 0x41843e in MSGRemoveContext src/winscard_svc.c:884 #3 0x4194f3 in ContextThread src/winscard_svc.c:468