mailing list archives
Platinum Secure smartcard security bypass
From: acidemon () gmail com
Date: 22 Sep 2005 09:49:38 -0000
- Platinum Secure Smart Card security bypass technique -
Vendor informed: nope...but Acer were
Impact : pretty high
Acer TravelMate C300
Acer TravelMate 8100
Other systems may also be affected.
These Acer notebooks include a smart card reader, two smartcards and a security application called Platinum Secure. The
smart card security system should prevent access to the console while the smart card is not present or when password
has not been entered. This test was conducted on the aforementioned notebooks with the latest versions of the software
downloaded from the Acer website and the latest BIOS upgrade.
Description of Vulnerability
When a user removes his smart card from the machine it activates the 'locking mechanism' and splashes a nice big
picture of your soon to be rendered almost useless smart card saying "Please insert your <make of machine> Smart Card".
I had to use different techniques for both notebooks as the TravelMate 8100 gave me less to work with so I will explain
the method I used on either notebook.
Acer TravelMate C300 with Windows XP:
The easiest of the two. I was able to Ctrl-Esc to give me a brief one second view of the Windows Start menu. From there
I was able to click on the Run button which went into the background. From there I could Alt-Tab to focus the Run box
and quickly type in 'cmd' for a command prompt. (I find it's easier just to hold down Windows key and push 'R'). The
command prompt would also go into the background but could be bought up (one second at a time) to the foreground by
Alt-Tab'ing again. From there managed to type in "taskkill /f /im pcard.exe" (older versions may be pccard.exe) which
killed the screen locking process and gave me full access to the desktop (minus the taskbar).
Acer TravelMate 8100 with Windows XP:
With this notebook I was unable to Ctrl-Esc, Alt-Tab or bring up anything that gave me the inclination that I was able
to focus anything in the background. However I was able to run Internet Explorer using the very helpful Web button on
the notebook. From there I could Alt-Tab or Alt-Esc and get into the filesystem. From there I browsed through to
C:\Windows\System32 and ran "cmd.exe". After running that the command prompt window was statically focused and I did
not need to Alt-Tab to bring it back. From there I ran "taskkill /f /im pcard.exe" and again was given access to the
desktop (minus the taskbar).
Note - This is not a new vulnerability but it seems the old one hasn't been fixed properly. The original post can be
found on http://www.securityfocus.com/archive/1/319219 .
Short term solution
Lock the Windows desktop before removing the smartcard.
Initial reponse: "That's impossible"
Follow up response: "We are currently working on the problem."
In no event shall I be liable for any damages, anytime, anywhere, ever.
luca, reapster, plunkett. HI MOM!
- Platinum Secure smartcard security bypass acidemon (Sep 22)