Skip to content

port cve-2021-34600 poc, fix device desfire aes crypto #1594

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

port cve-2021-34600 poc, fix device desfire aes crypto #1594

wants to merge 3 commits into from

Conversation

@y-x41
Copy link

@y-x41 y-x41 commented Feb 9, 2022
edited
Loading

Hey!

This PR adds support for performing the attack enabled by CVE-2021-34600. Details on how this attack works can be found on our blog.
This isn't 100% complete, yet, but since I won't be able to work on this until March I am already creating a pull request so that anyone who's interested can play around with it or potentially provide some feedback in the meantime.

A few issues remain:

  • Cancelling the simulator via the Proxmark's button does not work properly. While it seems that the simulation is stopped, it's not possible to enter any new commands on the client side. The Proxmark needs to be powercycled to get out of this state.
  • The current implementation only works for DESFire EV1/2 tags using AES keys. DES modes are not supported.
  • A free() in desfire_crypto.c had to be commented out due to linker errors.

y-x41 added 3 commits February 9, 2022 15:21
@y-x41
make style
c53dc84
@y-x41
Fix device desfire AES en-/decryption
611dbbc 
This commit fixes `mifare_cypher_single_block()` when used with `T_AES`.
`mifare_cypher_single_block()` essentially re-implements CBC mode for
all used ciphers by XOR-ing the IV with the data either before
encryption or after decryption and using AES in ECB mode. However, for
AES encryption `mbedtls_aes_crypt_cbc()` was then called to perform the
en-/decryption operation, which then also XOR-ed the IV with the data,
all of which resulted in the wrong en-/decryption of the data. This is
fixed by replacing the call to `mbedtls_aes_crypt_cbc()` with a call to
`mbedtls_aes_crypt_ecb()`.
@y-x41
Port CVE-2021-34600 poc
5fd35c5 
Add support for performing the attack on systems affected by
CVE-2021-34600. For this, this commit adds the commands `hf mfdesbrute
get_challenge` and `hf mfdesbrute open_door`.
@github-actions
Copy link

github-actions bot commented Feb 9, 2022

You are welcome to add an entry to the CHANGELOG.md as well

@iceman1001
Copy link
Collaborator

iceman1001 commented Feb 9, 2022

Nice!,
lets see if it can be completed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@y-x41 @iceman1001