The database, or the middleware's handling of the database, is one of the areas where vulnerabilities may arise.
RFID middleware systems generally use a database to store information that is read from tags and written to them. If the middleware does not treat the data read from the tag correctly, it may be possible to trick the database into executing SQL code that is stored on the tag. This is known as SQL injection.
Normally, the tag's data should not be interpreted as code, but programming errors in the middleware may make it possible. If the middleware inserts the data in an SQL query, without escaping it properly, the data can modify the query. Usually, this involves including a quote in the data, which is interpreted by the SQL parser as ending a section of data and starting the next section of code. The data following the quote is then interpreted as code.As an example, consider the following query:
If the tag's data contains the following:
Many middleware systems use web-based components, for example to provide a user-interface, or to query databases in different parts of the world. These web-based components may also be vulnerable to attacks.
Another way in which web-based components may be
exploited, is through server-side includes (SSI). SSI is a
technology that allows webpages to be generated on the fly,
by executing commands on the webserver when a webpage is
requested. By including SSI commands on a tag, it may be
possible to trick the webserver into executing malicious
code, using SSI's
The code that ties the RFID reader interface to the middleware is likely to be written in a low-level language such as C or C++. Any code written in such a language may be vulnerable to buffer overflows.
It may seem counterintuitive that RFID tags with their limited memory could cause a buffer overflow, but this may still be possible if the middleware expects to read only small amounts of data. Most RFID tags include information on the amount of memory they contain. If the reader code uses this information to determine the amount of data to read, it may read more data than expected, causing its buffer to overflow. Simply using fixed-size tags is not enough to prevent buffer overflows, as attackers may introduce unauthorized tags.An example overflow is shown in Exploit 4.
The actual exploit takes part in the last two rows, which are explained below.
If string-handling functions are used to copy the tag's data, it is impossible to include 0-bytes in the buffer overflow, which limits the scope of the attack. In this case, it is impossible to include addresses in the attack, which means that it is difficult to craft code that will run from the stack. On little-endian systems, it is still possible to do some damage, as the string's terminating 0-byte can be used to form a single address. This address can be used to jump to existing code, as in Exploit 5.