Bugtraq: Platinum Secure smartcard security bypass

[acidemon () gmail com]

========================================================
- Platinum Secure Smart Card security bypass technique -
========================================================


Vendor: http://360degreeweb.com

Vendor informed: nope...but Acer were
Impact : pretty high

Vulnerable Systems
------------------

Acer TravelMate C300
Acer TravelMate 8100

Other systems may also be affected.

========================================================

Quick Background
----------------

These Acer notebooks include a smart card reader, two smartcards and a security application called Platinum Secure. The 
smart card security system should prevent access to the console while the smart card is not present or when password 
has not been entered. This test was conducted on the aforementioned notebooks with the latest versions of the software 
downloaded from the Acer website and the latest BIOS upgrade.

Description of Vulnerability
----------------------------

When a user removes his smart card from the machine it activates the 'locking mechanism' and splashes a nice big 
picture of your soon to be rendered almost useless smart card saying "Please insert your <make of machine> Smart Card". 
I had to use different techniques for both notebooks as the TravelMate 8100 gave me less to work with so I will explain 
the method I used on either notebook.

Acer TravelMate C300 with Windows XP:

The easiest of the two. I was able to Ctrl-Esc to give me a brief one second view of the Windows Start menu. From there 
I was able to click on the Run button which went into the background. From there I could Alt-Tab to focus the Run box 
and quickly type in 'cmd' for a command prompt. (I find it's easier just to hold down Windows key and push 'R'). The 
command prompt would also go into the background but could be bought up (one second at a time) to the foreground by 
Alt-Tab'ing again. From there managed to type in "taskkill /f /im pcard.exe" (older versions may be pccard.exe) which 
killed the screen locking process and gave me full access to the desktop (minus the taskbar).

Acer TravelMate 8100 with Windows XP:

With this notebook I was unable to Ctrl-Esc, Alt-Tab or bring up anything that gave me the inclination that I was able 
to focus anything in the background. However I was able to run Internet Explorer using the very helpful Web button on 
the notebook. From there I could Alt-Tab or Alt-Esc and get into the filesystem. From there I browsed through to 
C:\Windows\System32 and ran "cmd.exe". After running that the command prompt window was statically focused and I did 
not need to Alt-Tab to bring it back. From there I ran "taskkill /f /im pcard.exe" and again was given access to the 
desktop (minus the taskbar).




Note - This is not a new vulnerability but it seems the old one hasn't been fixed properly. The original post can be 
found on http://www.securityfocus.com/archive/1/319219 . 

========================================================
Short term solution
-------------------

Lock the Windows desktop before removing the smartcard.

========================================================

Vendor Response
---------------

Initial reponse: "That's impossible"
Follow up response: "We are currently working on the problem."

========================================================

Disclaimer
----------

In no event shall I be liable for any damages, anytime, anywhere, ever.


Greets:
-------

luca, reapster, plunkett. HI MOM!

========================================================