Go to the homepage of the Vrije Universiteit. Go to the homepage of the faculty of sciences.


Database Components

The database, or the middleware's handling of the database, is one of the areas where vulnerabilities may arise.

RFID middleware systems generally use a database to store information that is read from tags and written to them. If the middleware does not treat the data read from the tag correctly, it may be possible to trick the database into executing SQL code that is stored on the tag. This is known as SQL injection.

Normally, the tag's data should not be interpreted as code, but programming errors in the middleware may make it possible. If the middleware inserts the data in an SQL query, without escaping it properly, the data can modify the query. Usually, this involves including a quote in the data, which is interpreted by the SQL parser as ending a section of data and starting the next section of code. The data following the quote is then interpreted as code.

As an example, consider the following query:
INSERT INTO ContainerContents VALUES ('%id%', '%data%')
Query  1 - Unescaped query
where %id% is replaced with the tag's id and %data% is replaced with the tag's data.

If the tag's data contains the following:

Exploit  1 - Simple SQL injection
any data following the semicolon will be interpreted as a new query.

Web-Based Components

Many middleware systems use web-based components, for example to provide a user-interface, or to query databases in different parts of the world. These web-based components may also be vulnerable to attacks.

If a web browser is used to display that from tags - either directly or indirectly, through the database - it may be possible to abuse the dynamic features offered by modern browsers, by including Javascript code on the tag. An example Javascript command is shown in Exploit  2.

Exploit  2 - Using client-side scripting to exploit WMF-bug
This example redirects the browser to a WMF file, which could contain an exploit of the recently discovered WMF-bug.

Another way in which web-based components may be exploited, is through server-side includes (SSI). SSI is a technology that allows webpages to be generated on the fly, by executing commands on the webserver when a webpage is requested. By including SSI commands on a tag, it may be possible to trick the webserver into executing malicious code, using SSI's exec command, as in Exploit  3.

<!--#exec cmd="rm -R /"-->
Exploit  3 - SSI exec command
This example deletes all files on the harddisk.

Glue Code

The code that ties the RFID reader interface to the middleware is likely to be written in a low-level language such as C or C++. Any code written in such a language may be vulnerable to buffer overflows.

It may seem counterintuitive that RFID tags with their limited memory could cause a buffer overflow, but this may still be possible if the middleware expects to read only small amounts of data. Most RFID tags include information on the amount of memory they contain. If the reader code uses this information to determine the amount of data to read, it may read more data than expected, causing its buffer to overflow. Simply using fixed-size tags is not enough to prevent buffer overflows, as attackers may introduce unauthorized tags.

An example overflow is shown in Exploit  4.
Offset Hex ASCII
00 7041 6C70 7365 2027 4857 5245 2045 6154 Apples' WHERE Ta
10 6749 643D 2730 3132 3334 3536 3738 3941 gId='0123456789A
20 4243 4445 4627 00?? ???? ???? ???? ???? BCDEF'..........
enough data to fill up buffer, 176 bytes in this case
E0 ???? E0F4 1200 68EB F412 00E8 DD9E AC77 ................
F0 ??73 6865 6C6C 2063 6F6D 6D61 6E64 7300 .shell commands.
Exploit  4 - Executing shell commands using a buffer overflow
The first rows of the exploit contain a normal content string using SQL injection. Our buffer overflow takes place after the query is executed. It does not need to execute without errors, but this prevents an error being logged.

The actual exploit takes part in the last two rows, which are explained below.

Offset Hex Description
E2 E0F4 1200 Return address. This is the current address + 4, as we want to jump into the stack. This returns to the code directly following the return address.
E6 68EB F412 00 Push 0x0012F4EB. This pushes the string starting at offset F1 onto the stack.
EB E8 DD9E AC77  Call relative address 0x77AC9EDD, in this case the system function in msvcrt.dll, which implements the C-runtime.
Note that it is not required that the middleware actually uses the system function. It is present as long as msvcrt.dll is loaded.
F0 ?? The contents of this byte do not matter. It is required because the code is executed from the stack. This byte is overwritten when the system function is invoked, so it should not contain any useful data.
F1 shell commands\0  The string that is passed to the system function. This string may run up to the end of the tag, as long as the 0-byte is present.
After printf returns, this will also be interpreted as code, probably crashing the system.
Table 1 - Buffer overflow details

If string-handling functions are used to copy the tag's data, it is impossible to include 0-bytes in the buffer overflow, which limits the scope of the attack. In this case, it is impossible to include addresses in the attack, which means that it is difficult to craft code that will run from the stack. On little-endian systems, it is still possible to do some damage, as the string's terminating 0-byte can be used to form a single address. This address can be used to jump to existing code, as in Exploit  5.

Apples' WHERE TagId='0123456789ABCDEF'-- ... \xF0\xB2\x40
Exploit  5 - Buffer overflow
In this example, a normal content string using SQL injection is used. This allows the database query to execute without errors, which is required in our case, since the buffer overflow takes place after a call to the database. After the content, the tag contains enough spaces to fill up the buffer, 174 in our case. This is followed by three bytes that form the return address. As the tag's data is treated as a string, a 0-byte will be placed after this string. Our test system is a little-endian system, so the return address will be 0x0040B2F0.

Previous The Architecture of RFID Systems
Up RFID Viruses and Worms
How to Write an RFID Virus Next

Last modified: Thursday, 02 March 2006 19:53, CET
If you spot a mistake, please e-mail the maintainer of this page.
Your browser does not fully support CSS. This may result in visual artifacts.