Impact
This vulnerability, an attacker who does not know the password can bypass authentication even if an incorrect password is input. In addition, malicious functions might be used to delete users or add new malicious users after password authentication bypass using this vulnerability. Finally, encrypted data can be stolen and data stored safely inside can be stolen without stealing a correct password.
Summary
Storage security technologies such as secure flash memory have emerged for protecting storage data. Such secure technologies include user authentication, access control, and date encryption technologies. Among these technologies, user authentication technologies are primarily used.
Password authentication is typical in user authentication technology. It is used in conjunction with biometric authentication such as iris and fingerprint authentication. For this reason, we selected Wizflat's DM PD065 secure flash memory, one of the most used secure flash memories, to analyze the vulnerability applied to a product.
The security flash memory (DM PD065) uses a total of two user authentication technologies: password authentication and fingerprint authentication. In other words, a user is identified through their fingerprint and password. If any information is exposed, protected data of the authorized user can be accessed maliciously. In addition, for password authentication technology, when the user directly registers the password, a function of verifying the password inside the management software is required. For this reason, we analyzed vulnerabilities of password authentication technology applied to this product.
As a result of analyzing the vulnerability of password authentication, a function of transferring the input password as an argument was found and codes related to password authentication were analyzed. Therefore, by modifying the EAX value of the function, the password authentication routine was modified to bypass password authentication even if the wrong password was input.
Analysis
This vulnerability was caused by a structural problem in password authentication. The structural problem means that the password authentication technology necessarily has a code in a specific code area to determine whether the input password is a correct password.

Figure 1. Part of password verification function code
Figure 1 shows password verification function codes, and FingerTo.AP_VerifyPwd function is called at (1) 0x00165FC6 location when inputting a password in this product. That is, it is a part for determining whether the password input by the user is the correct password. If the input password is the correct password, it moves to the (3) 0x00165FE1 location. However, if it is an incorrect password, it moves to (4) 0x00165FF5 location.
In other words, the value of the EAX register is stored due to the result of the password verification function described above and branches from the location of (2) 0x00165FD0. As such, a vulnerability of this software is occurred because, after inputting a password, a function that verifies the password is exposed to the code by reverse engineering.

Figure 2. Function code to verify the authentication result
For the verification and proof of vulnerabilities, the password verification function corresponding to (1) 0x00165FC6 location in Figure 1 was analyzed. As a result of analyzing the internal code of the function, the code shown in Figure 2 and its structure were confirmed. As a result, we assume that this code is the part that actually verifies the password input by the user. To verify this assumption, the corresponding internal function was analyzed in more detail.

Figure 3. Example of shift-left operation results: (1): incorrect password, (2): correct password)
As a result of analyzing the internal function as shown in Figure 2, it was determined that the password input by the user was compared by executing the shift-left operation-based code. If the correct password is input, the EAX is set to 0, while a wrong password is input, the EAX is set to 0x52400. This value is based on (2) 0x00165FD0 of Figure 1. Therefore, for password bypass, an EAX value of 0x52400 when the wrong password was input was modified to an EAX value of 0 when the password was correct.
As a result, even though a wrong password was input as shown in Figure 4, EAX was changed from (2) 0x00165FD0 in Figure 1 to 0 and branched to (3) 0x00165FE1 location (correct), not to (4) 0x00165FF5 location (incorrect). Finally, authentication was bypassed.

Figure 4. Vulnerability verification result using this authentication bypass vulnerability: Administrator privileges obtained
Discoverer(s)/Credits
Kyungroul Lee/South Korea/carpedm@mnu.ac.kr
Jaehyuk Lee/south korea/gurtmggg@gmail.com
For more information
If you have any questions or comments about this advisory:
Impact
This vulnerability, an attacker who does not know the password can bypass authentication even if an incorrect password is input. In addition, malicious functions might be used to delete users or add new malicious users after password authentication bypass using this vulnerability. Finally, encrypted data can be stolen and data stored safely inside can be stolen without stealing a correct password.
Summary
Storage security technologies such as secure flash memory have emerged for protecting storage data. Such secure technologies include user authentication, access control, and date encryption technologies. Among these technologies, user authentication technologies are primarily used.
Password authentication is typical in user authentication technology. It is used in conjunction with biometric authentication such as iris and fingerprint authentication. For this reason, we selected Wizflat's DM PD065 secure flash memory, one of the most used secure flash memories, to analyze the vulnerability applied to a product.
The security flash memory (DM PD065) uses a total of two user authentication technologies: password authentication and fingerprint authentication. In other words, a user is identified through their fingerprint and password. If any information is exposed, protected data of the authorized user can be accessed maliciously. In addition, for password authentication technology, when the user directly registers the password, a function of verifying the password inside the management software is required. For this reason, we analyzed vulnerabilities of password authentication technology applied to this product.
As a result of analyzing the vulnerability of password authentication, a function of transferring the input password as an argument was found and codes related to password authentication were analyzed. Therefore, by modifying the EAX value of the function, the password authentication routine was modified to bypass password authentication even if the wrong password was input.
Analysis
This vulnerability was caused by a structural problem in password authentication. The structural problem means that the password authentication technology necessarily has a code in a specific code area to determine whether the input password is a correct password.

Figure 1. Part of password verification function code
Figure 1 shows password verification function codes, and FingerTo.AP_VerifyPwd function is called at (1) 0x00165FC6 location when inputting a password in this product. That is, it is a part for determining whether the password input by the user is the correct password. If the input password is the correct password, it moves to the (3) 0x00165FE1 location. However, if it is an incorrect password, it moves to (4) 0x00165FF5 location.
In other words, the value of the EAX register is stored due to the result of the password verification function described above and branches from the location of (2) 0x00165FD0. As such, a vulnerability of this software is occurred because, after inputting a password, a function that verifies the password is exposed to the code by reverse engineering.
Figure 2. Function code to verify the authentication result
For the verification and proof of vulnerabilities, the password verification function corresponding to (1) 0x00165FC6 location in Figure 1 was analyzed. As a result of analyzing the internal code of the function, the code shown in Figure 2 and its structure were confirmed. As a result, we assume that this code is the part that actually verifies the password input by the user. To verify this assumption, the corresponding internal function was analyzed in more detail.
Figure 3. Example of shift-left operation results: (1): incorrect password, (2): correct password)
As a result of analyzing the internal function as shown in Figure 2, it was determined that the password input by the user was compared by executing the shift-left operation-based code. If the correct password is input, the EAX is set to 0, while a wrong password is input, the EAX is set to 0x52400. This value is based on (2) 0x00165FD0 of Figure 1. Therefore, for password bypass, an EAX value of 0x52400 when the wrong password was input was modified to an EAX value of 0 when the password was correct.
As a result, even though a wrong password was input as shown in Figure 4, EAX was changed from (2) 0x00165FD0 in Figure 1 to 0 and branched to (3) 0x00165FE1 location (correct), not to (4) 0x00165FF5 location (incorrect). Finally, authentication was bypassed.
Figure 4. Vulnerability verification result using this authentication bypass vulnerability: Administrator privileges obtained
Discoverer(s)/Credits
Kyungroul Lee/South Korea/carpedm@mnu.ac.kr
Jaehyuk Lee/south korea/gurtmggg@gmail.com
For more information
If you have any questions or comments about this advisory: