Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

port cve-2021-34600 poc, fix device desfire aes crypto #1594

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

y-x41
Copy link

@y-x41 y-x41 commented Feb 9, 2022

Hey!

This PR adds support for performing the attack enabled by CVE-2021-34600. Details on how this attack works can be found on our blog.
This isn't 100% complete, yet, but since I won't be able to work on this until March I am already creating a pull request so that anyone who's interested can play around with it or potentially provide some feedback in the meantime.

A few issues remain:

  • Cancelling the simulator via the Proxmark's button does not work properly. While it seems that the simulation is stopped, it's not possible to enter any new commands on the client side. The Proxmark needs to be powercycled to get out of this state.
  • The current implementation only works for DESFire EV1/2 tags using AES keys. DES modes are not supported.
  • A free() in desfire_crypto.c had to be commented out due to linker errors.

y-x41 added 3 commits February 9, 2022 15:21
This commit fixes `mifare_cypher_single_block()` when used with `T_AES`.
`mifare_cypher_single_block()` essentially re-implements CBC mode for
all used ciphers by XOR-ing the IV with the data either before
encryption or after decryption and using AES in ECB mode. However, for
AES encryption `mbedtls_aes_crypt_cbc()` was then called to perform the
en-/decryption operation, which then also XOR-ed the IV with the data,
all of which resulted in the wrong en-/decryption of the data. This is
fixed by replacing the call to `mbedtls_aes_crypt_cbc()` with a call to
`mbedtls_aes_crypt_ecb()`.
Add support for performing the attack on systems affected by
CVE-2021-34600. For this, this commit adds the commands `hf mfdesbrute
get_challenge` and `hf mfdesbrute open_door`.
@github-actions
Copy link

github-actions bot commented Feb 9, 2022

You are welcome to add an entry to the CHANGELOG.md as well

@iceman1001
Copy link
Collaborator

Nice!,
lets see if it can be completed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants