Re: [FD] Banknotes Misproduction security & biometric weakness
Am 31.01.2018 um 17:21 schrieb Vulnerability Lab: > Hello Ben Tasker, > sorry if the title of the issue did lead you to misunderstand the > article. The currency is still secure. > The title refers to the information used for the issue. In case it was > misleading we will update it but you was the first who misunderstood > the article by comments. > > "The weakness, the theory goes, is that someone could register a > "fingerprint" in your system by using a banknote. This'd give them > access whilst also meaning you didn't at least have a hash of their > real fingerprint for forensics to find." > This is correct. Also the problem that others can access with the same > hologram into for exmaple the high protected area (mil & gov). > > > "Another theory is that users might opt to use a banknote instead of > their own fingerprint. I'm not quite sure what the likelihood of that > is, in that it's not exactly convenient, and if you're concerned about > privacy implications from a fingerprint scanner the best option is not > to use it." > > What about, if the fingerprint of lenovo (bug disclosed parallel to > us) is our european currency. Means the hardcoded fingerprints that > published parallel is exactly what we refer to when we talk about a > universal fingerprint. In the real life it is pretty easy to use it in > large companies due to the registration and as well on entrance. Maybe > you feel like the pratical interaction can not happen, we can confirm > you from germany we was successful. The government disallowed us to > register the fingerprint to the real system otherwise a compromise > could not be excluded. -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Banknotes Misproduction security & biometric weakness
Am 05.02.2018 um 16:10 schrieb Vulnerability Lab: > Hello Intern0t (inter...@protonmail.com), > could you please tell me what your strange blabla has to deal with the > fact that the hologram can be read and accepted as fingerprint because > of the polipaper inside. Did you see that we changed the finger after > the save due to the register. If you believe in that this is normal > behavour or a troll issue, please ask lenovo. They included there > universal fingerprint from a mark insde a laptop. We figured out by now > that the hologram can be read to finally bypass with a universal key. > Thus strange anomaly should for sure not be possible in scans that must > identify a hologram. If your technical expertise is not high level > enough then to talk seriously about the issues impact, i cant help you. > > Best Regards, > Vulnerability Laboraotry, -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Banknotes Misproduction security & biometric weakness
Am 30.01.2018 um 15:43 schrieb Jeffrey Walton: > On Tue, Jan 30, 2018 at 9:22 AM, Vulnerability Lab > wrote: >> Am 30.01.2018 um 15:18 schrieb Jeffrey Walton: >>> On Tue, Jan 30, 2018 at 4:08 AM, Vulnerability Lab >>> wrote: Document Title: === Banknotes Misproduction security & biometric weakness ... Technical Details & Description: In the last months we reviewed the new 20€ & 50€ Banknotes of the European Central Bank. One of our core team researchers identified that for the security sign of the holograms are different components in usage. The security signs are build by the European Central Bank with several high profile elements in the signs to ensure, that the banknotes has a serious level of protection again fraud or fake money. After processing some time to identify an impact, we were finally able to identify the following security problematic ... >>> The details seem to be missing from the announcement and the website. >> >> read the linked full document as pdf > Thanks. There is no linked PDF. In the references section is the download available. - atu -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SEC Consult SA-20180207-0 :: Multiple buffer overflow vulnerabilities in InfoZip UnZip
SEC Consult Vulnerability Lab Security Advisory < 20180207-0 > === title: Multiple buffer overflow vulnerabilities product: InfoZip UnZip vulnerable version: UnZip <= 6.00 / UnZip <= 6.1c22 fixed version: 6.10c23 CVE number: CVE-2018-131,CVE-2018-132,CVE-2018-133 CVE-2018-134,CVE-2018-135 impact: high homepage: http://www.info-zip.org/UnZip.html found: 2017-11-03 by: R. Freingruber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "UnZip is an extraction utility for archives compressed in .zip format (also called "zipfiles"). Although highly compatible both with PKWARE's PKZIP and PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip program, our primary objectives have been portability and non-MSDOS functionality. UnZip will list, test, or extract files from a .zip archive, commonly found on MS-DOS systems. The default behavior (with no options) is to extract into the current directory (and subdirectories below it) all files from the specified zipfile." Source: http://www.info-zip.org/UnZip.html InfoZip's UnZip is used as default utility for uncompressing ZIP archives on nearly all *nix systems. It gets shipped with many commerical products on Windows to provide (un)compressing functionality as well. Business recommendation: InfoZip Unzip should be updated to the latest available version. Vulnerability overview/description: --- 1) Heap-based buffer overflow in password protected ZIP archives (CVE-2018-135) InfoZip's UnZip suffers from a heap-based buffer overflow when uncompressing password protected ZIP archives. An attacker can exploit this vulnerability to overwrite heap chunks to get arbitrary code execution on the target system. For newer builds the risk for this vulnerability is partially mitigated because modern compilers automatically replace unsafe functions with length checking variants of the same function (for example sprintf gets replaced by sprintf_chk). This is done by the compiler at locations were the length of the destination buffer can be calculated. Nevertheless, it must be mentioned that UnZip is used on many systems including older systems or on exotic architectures on which this protection is not in place. Moreover, pre-compiled binaries which can be found on the internet lack the protection because the last major release of InfoZip's UnZip was in 2009 and compilers didn't enable this protection per default at that time. The required compiler flags are also not set in the Makefile of UnZip. Compiled applications are therefore only protected if the used compiler has this protection enabled per default which is only the case with modern compilers. To trigger this vulnerability (and the following) it's enough to uncompress a manipulated ZIP archive. Any of the following invocations can be used to trigger and abuse the vulnerabilities: >unzip malicious.zip >unzip -p malicious.zip >unzip -t malicious.zip 2) Heap-based out-of-bounds write (CVE-2018-131) This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip). InfoZip's UnZip suffers from a heap-based out-of-bounds write if the archive filename does not contain a .zip suffix. 3) Heap/BSS-based buffer overflow (Bypass of CVE-2015-1315) (CVE-2018-132) This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip). InfoZip's UnZip suffers from a heap/BSS-based buffer-overflow which can be used to write null-bytes out-of-bound when converting attacker-controlled strings to the local charset. 4) Heap out-of-bounds access in ef_scan_for_stream (CVE-2018-133) This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip). InfoZip's UnZip suffers from a heap out-of-bounds access vulnerability. 5) Multiple vulnerabilities in the LZMA compression algorithm (CVE-2018-134) This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip). InfoZip's UnZip suffers from multiple vulnerabilities in the LZMA implementation. Various crash dumps have been supplied to the vendor but no further analysis has been performed. Proof of concept: - 1) Heap-based buffer overflow in password protected ZIP archives (CVE-2018-135) Unzipping a malicious archive results in the following output: (On Ubuntu 16.04 with Un
