среда, 3 июня 2009 г.

Study on ATM security: code injection on Wincor Nixdorf ATMs

Disclaimer: information provided here should be used only for educational purpose.
Код использовать только в образовательных целях, а то могут выебать телеграфным столбом.
Once I wrote a small application used to start ProSop on WN ATMs. It used WN-specific XFS provider SYN and worked jolly good on ProCash/xDC 1.3/00. When 1.4/00 arrived, everything changed: WN got rid of SYN and the whole thing did not work anymore (some people said there was a posibility to start ProSop doing some settings in registry but I wouldn't consider this to be an elegant solition).
So I decided to create the ultimate "ProSop starter" regardless of main application version functioning on ATM. The initial idea was to make main application think the operator switch button was properly pressed. Main application (let it be ProCash/xDC or some third party software) receives this information from XFS layer as event. We cannot simulate this event (we should find out a lot of info as target hwnd, service handle etc) so we look further. XFS itself (more precisely, SIU service provider) periodically asks CSC/W-32 Special Electronic for all sensors status. So, we can try to act as a part of CSC/W-32 in order to provide information about pressed operator switch button.
The injection technic is not new, for details consult a good book on Win32 programming (I would recommand Richter). I decided to use the most harmless method of dll injection - SetWindowHookEx. We are not interested in proper window message interception, the main for us is side effect - our code will be placed in other process's address space. Once we've got into target process (that is FWMAIN32.EXE) we can do some API hooking. Study of WN XFS implementation has shown that CSC libraries are dynamically loaded on runtime, so we shoud fix export table of target dll (that is CSCSEL.DLL). The Damn Bloody Microsoft has very interesting project Microsoft Detours (you can find it on Microsoft Researh web site). This library is open source for win32 project and does exactly what we need - replaces given DLL export function start address with function we provide. So the main code flow will be:
- inject code into target process (FWMAIN32.exe)
- make sure CSCSEL.DLL is loaded int process's memory
- replace CscSelGetStatus enty point with our function
- our function when called will call the originalone, fix its result, restore DLL's export and return.
That is. We start small console application, after about 2-3 seconds ATM enters SOP mode.
I was so fascinated about idea of code injection so I created some more examples:
Example 1. Suppose we intercept CSCIDU.DLL (which works with card reader). If at a given moment we recognize the inserted card as "special" card, we dispense some money. Fun, isn't it?
Example 2, more interesting. Here I work with card reader and pin pad. When the card is inserted we memorize Track 2. After encrypted pin block is created we do the following trick: import in pinpad 2 keys (we can do it once): one used for pinblock creation (let's say it's K1), another used for crypt operations (K2). The keys should have the same value (any). Then we get pinblock one more time using key K2. Then we decrypt it using key K1. Voila - here is CLEAR pin block. We also know Track 2, that means we know CLEAR PIN. So we memorize it along with the track 2 to use it later...
This will work only if pinpad is configured to provide multiple pinblocks. As this is DEFAULT setting for WN ATM, we might be happy.
If pinpad will not provide pinblock more than once, we can just wait. Wait for the moment the key with role "pinblock creation" is loaded into pinpad. At this moment we can import another key having role "crypt" and the same value. When we get encrypted pinblock, we just decrypt it.
Morale: if someone has access to your ATM, the ATM is fucked. Proper fucked.
PS: you may find source code for this article on bankir.ru forum (of course, if you know where to look for, anyway, it can be googled).

среда, 6 февраля 2008 г.

ciunga ceanga
m-am nahuearit
ciunga ceanga
ce chizdos ma simt

среда, 9 января 2008 г.

Fiind in concediu n-am fumat chiar si in stare de ebrietate. Introcandu-ma-n oficiu alergatu-m-am cu un gitanes de aprins imediat dupa cititul postei.

воскресенье, 9 декабря 2007 г.

movable fest

Ce ghine e sa ebanesti niste martini cu vodeara. Mai ales ziua. Mai ales duminica.

понедельник, 3 декабря 2007 г.

lupta cu vista

La inceput era un Acer Travelmate 6292 si avea acest Acer intr-insu' o Vista tare frumoasa ce manca 600 de metri de ram intr-o stare de incativitate. Vazand acese fapte triste dusu-m-am la saitul si gasit-am niste draiveri pentru xp. De acum inainte nu mai traieste vista pe acer.

Buna ziua

Am de gand sa zastolbesc un locusor pe aci.