Is this a vulnerability in my smart card .cap verifier and its atomicity?

0
votes

I reset my smart card using JCManager

:::> gpj -list

:::> java -jar gpj.jar -list

Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0

ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00

DEBUG: Command  APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00

DEBUG: Command  APDU: 80 50 00 00 08 73 A2 DC F8 5D 56 48 B2
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 CB F8 CB B2 CC 73 6F A5 16 2B 6D 46 94 0F 13 90 00
DEBUG: Command  APDU: 84 82 00 00 10 36 0E 2D D6 F4 6C 65 E0 C4 EC A4 8C 96 D1 80 6A
DEBUG: Response APDU: 90 00
DEBUG: Command  APDU: 84 82 00 00 08 36 0E 2D D6 F4 6C 65 E0
DEBUG: Response APDU: 90 00
DEBUG: Command  APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command  APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command  APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command  APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command  APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command  APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command  APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command  APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 6A 88
AID: A0 00 00 00 03 00 00 00                       |........|        ISD LC: 1 P
R: 0x9E


:::>

Aftr that I upload a .cap file on it :

:::> gpj -list

:::> java -jar gpj.jar -list

Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0

ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00

DEBUG: Command  APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00

DEBUG: Command  APDU: 80 50 00 00 08 39 CF 9A 58 C1 02 16 88
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 D0 C7 78 48 8C D6 C9 9D B1 9F FF 45 23 89 26 90 00
DEBUG: Command  APDU: 84 82 00 00 10 EA 3A 38 56 6D 7B 9D 73 BB EF 4A 1B C5 DD 58 6C
DEBUG: Response APDU: 90 00
DEBUG: Command  APDU: 84 82 00 00 08 EA 3A 38 56 6D 7B 9D 73
DEBUG: Response APDU: 90 00
DEBUG: Command  APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command  APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command  APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 30 30 30 31 07 00 90 00
DEBUG: Command  APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 30 30 30 31 07 00 90 00
DEBUG: Command  APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command  APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command  APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 6B 61 67 31 01 00 90 00
DEBUG: Command  APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 6B 61 67 31 01 00 90 00
AID: A0 00 00 00 03 00 00 00                       |........|        ISD LC: 1 P
R: 0x9E

AID: 6D 79 70 61 63 30 30 30 31                    |mypac0001|       App LC: 7 P
R: 0x00

AID: 6D 79 70 61 63 6B 61 67 31                    |mypackag1|       Exe LC: 1 P
R: 0x00


:::

As you see above, two new AID uploaded.

Q1: Which one is for the Applet and which one is for the Package? why?

I can send SELECT command to both successfully. This is output of my tool when I send SELECT command :

Answer-to-Reset
3B  68  00  00  00  73  C8  40  12  00  90  00  

# CLA|INS|P1|P2|Lc|Le
# Data Field
# Status Word

< 00 A4 04 00 09 00
< 6D 79 70 61 63 30 30 30 31
> 9000

< 00 A4 04 00 09 00
< 6D 79 70 61 63 6B 61 67 31
> 9000

And then I reset the card using JCManager again :

:::> gpj -list

:::> java -jar gpj.jar -list

Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0

ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00

DEBUG: Command  APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00

DEBUG: Command  APDU: 80 50 00 00 08 73 A2 DC F8 5D 56 48 B2
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 CB F8 CB B2 CC 73 6F A5 16 2B 6D 46 94 0F 13 90 00
DEBUG: Command  APDU: 84 82 00 00 10 36 0E 2D D6 F4 6C 65 E0 C4 EC A4 8C 96 D1 80 6A
DEBUG: Response APDU: 90 00
DEBUG: Command  APDU: 84 82 00 00 08 36 0E 2D D6 F4 6C 65 E0
DEBUG: Response APDU: 90 00
DEBUG: Command  APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command  APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command  APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command  APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command  APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command  APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command  APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command  APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 6A 88
AID: A0 00 00 00 03 00 00 00                       |........|        ISD LC: 1 P
R: 0x9E


:::>

And then I change some bytes of the same .cap file using HDD Hex Editor Neo (A Binary File Editing Software for Windows).

Finally I tried to upload this new .cap file to card :

enter image description here

As you see above, I couldn't upload it successfully. I tried another gpj -list command, and this is output :

:::gpj -list

:::java -jar gpj.jar -list

Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0

ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00

DEBUG: Command  APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00

DEBUG: Command  APDU: 80 50 00 00 08 03 97 15 70 2B 1F E1 9B
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 CE AF 71 EB 5D 50 0F 81 F5 7B FB 7B 51 B4 6D 90 00

DEBUG: Command  APDU: 84 82 00 00 10 AF 86 13 9F C7 8E BC BE 8A 91 97 6A 26 CF 69 E1
DEBUG: Response APDU: 90 00
DEBUG: Command  APDU: 84 82 00 00 08 AF 86 13 9F C7 8E BC BE
DEBUG: Response APDU: 90 00
DEBUG: Command  APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command  APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command  APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command  APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command  APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command  APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command  APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 6B 61 67 31 01 00 90 00
DEBUG: Command  APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 6B 61 67 31 01 00 90 00
AID: A0 00 00 00 03 00 00 00                       |........|        ISD LC: 1 P
R: 0x9E

AID: 6D 79 70 61 63 6B 61 67 31                    |mypackag1|       Exe LC: 1 P
R: 0x00

:::

Now this is the main question :

Q2: Why I see two AID in output? I think for the security reason, the JCRE must prevent Incomplete installation of applets, right?

Note that, when I send a SELECT COMMAND to this AID, I receive 6A82 [File or Application not found]. If it is not there, why the card return its AID in list applets command?

Is this an Atomicity violation? Can it be an vulnerability in Installer? Can it endangering the security of my smart card?

1
smartcardjavacard

1 Answers

4
votes

You can't apparently interpret the output from the tools and gpj does not really make it easy either.

Applet AID and package AID are different things and only selectable applets can be selected. Not to mention the issuer security domain, which is a different thing in the first place.

Also, please don't use gpj, that means you are using the old version (there's a lockout from the sf.net account, a reason for no information about it there). The new version is available from here: https://github.com/martinpaljak/GlobalPlatformPro

Among other things it shows the list of objects on the card in a more readable way. Look for SELECTABLE things, which are applications.

Don't use jcManager "reset card" on any card, it blindly deletes everything it can. Some expose components from the ROM, which you lose for ever if deleting unintentionally.