Skip to content

Biometric fingerprint recognition USB3.0 memory (Lexar F35) Password authentication vulnerability

High
bosslabdcu published GHSA-fcqg-mq6w-h3fh Mar 20, 2022

Package

FingerTool_Lexar(Window) (Password authentication module)

Affected versions

v1.0.34.0

Patched versions

Not patched

Description

Biometric fingerprint recognition USB3.0 memory (Lexar F35) Password authentication vulnerability

Impact

By bypassing password authentication, malicious attackers can bypass user authentication without the need for the correct password. Additionally, they can steal data stored on a secure USB flash drive and obtain administrator privileges by using this vulnerability. If an attacker obtains administrator privileges, it can lead to additional damage, such as malicious user addition or deletion of registered users. The data encrypted by the secure USB flash drive are automatically decrypted and exposed to the attacker when the attacker is authenticated as a registered user. Therefore, the attacker can steal data that are securely protected within the USB flash drive, even if an encryption key is exposed or without having information related to the encryption key.

Summary

The summary of this vulnerability is that an attacker without access to securely protected data on a secure USB flash drive can bypass user authentication without having any information related to the password of the registered user. The secure USB flash drive transmits the password input by the user to the authentication module in the drive after the user registers a password, and then the input password compares with the registered password stored in the authentication module. Subsequently, the module returns the comparison results for the authentication information. Therefore, an attacker can bypass password authentication by analyzing the functions that return the password verification or comparison results and manipulate the authentication result values. Accordingly, even if attackers input an incorrect password, they can be authenticated as a legitimate user and can therefore exploit functions of the secure USB flash drive by manipulating the authentication result values.

Analysis

Among the user authentication methods, fingerprint authentication method and password-based authentication method are applied to secure USB flash drives, the password authentication method is free from the vulnerability in which the registered password is exposed to the management program, such as the Hardcoded Password vulnerability. However, the drive and management program are vulnerable during the password authentication process. Herein, the password registered by the user was compared with the password input by users in the registration module of the drive, and the comparison result was delivered to the management program. The password verification function of the management program provides data decryption and administrator privileges based on the comparison results of the received authentication information.
In this vulnerability, the authentication result is exposed in the management program, making it easy for an attacker to manipulate it. Therefore, the attacker can collect the authentication result values of the correct password and that of the incorrect password through the password verification function. If the authentication result value of the incorrect password is manipulated as the authentication result value of the correct password, the authentication is successfully bypassed.
Based on the vulnerability analysis result, we input correct and incorrect passwords to bypass the password authentication of the management program, FingerTool_Lexar. FingerTool_Lexar stores the input password in memory and transfers the password to the authentication module in the flash drive for authentication.
To transfer the password stored in the management program to the authentication module, which is a hardware, the operating system of Microsoft Windows calls the DeviceIoControl() function to communicate with the device. Therefore, we analyzed the arguments transmitted when the DeviceIoControl() function was called.
The DeviceIoControl() function receives eight parameters, and it uses the lpInBuffer and lpOutBuffer parameters to exchange data with the device. To transmit data from the management program to the authentication module, data including passwords are stored in the lpOutBuffer, and the data transmitted from the device to the management program are stored in the lpInBuffer. The data stored in the lpOutBuffer when the DeviceIoControl() function is called after inputting the password is as shown in Figure 1.

image

Figure 1. Data stored in lpOutBuffer when the input password is transferred (input password: qwe123).

 

image

Figure 2. Verification function code of the authentication result.

 
Figure 2 shows codes of the function that verifies the password authentication result after the DeviceIoControl() function is called using a reverse engineering tools. The instruction is executed from 0x003655D0, and the function ends after the RETN instruction of 0x0036560C is executed. Finally, the function returns the value stored in the EAX register, and the authentication result is determined by the value stored in this register.
To analyze the authentication result according to the password input from the verification function, the values stored in each register are shown in Figures 3 and 4.

image

Figure 3. Values stored in the registers when a wrong password is input.

 

image

Figure 4. Values stored in the registers when inputting a correct password.

 

The shift-left operation is performed on the value stored in the EAX and ECX registers at 0x003655F7 and 0x003655FE, respectively. At 0x00365601, the value stored in the EAX register and that stored in the ECX register are OR operated, and the authentication result, which is the operation result, is stored in the EAX register. Through shift-left and OR operations, the operation result of the authentication in the verification function when the correct and incorrect passwords are input is shown in Figure 5.
image

Figure 5. Authentication results when inputting incorrect and correct passwords (a) incorrect password, (b) correct password.

 

The value stored in the EAX register, which is the authentication result, is different when the incorrect and correct passwords are input. As shown in Figure 5 (a), the value stored in the EAX register is 0x00023A00 when the incorrect password is input, and Figure 5 (b) shows that the value is 0 when the correct password is input. Based on these results, we assumed that if the value stored in the EAX register is changed from 0x00023A00 to 0 after inputting the incorrect password, an attacker will be able to successfully bypass the authentication. To prove this assumption, we manipulate the value stored in the EAX register to 0 after inputting an incorrect password. As shown in Figure 6, the attacker successfully bypasses password authentication and obtains administrator privileges.

image

Figure 6. Result of vulnerability verification through authentication bypass: Obtaining administrator privileges.

 

Discoverer(s)/Credits

Kyungroul Lee/South Korea/carpedm@mnu.ac.kr
DongHyeun Kim/south korea/oksally@cu.ac.kr
Jae hyuk Lee/south korea/gurmggg@cu.ac.kr

For more information

If you have any questions or comments about this advisory:

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2021-46390

Weaknesses