首页 > 其他分享 >BadBarcode 条形码漏洞

BadBarcode 条形码漏洞

时间:2023-04-07 14:33:45浏览次数:50  
标签:条形码 vulnerability laser BadBarcode barcode 漏洞 attack vulnerable

BadBarcode Vulnerability

BadBarcode is a design flaw widely exists in barcode reading devices, which could be exploited to hack into host computers that connect to a barcode scanner. Currently almost all the barcode scanners are designed to work in Keyboard Simulation Mode, or support multiple modes but can be switched into Keyboard Simulation Mode by scanning a barcode. Also, symbologies like Code 128PDF417 and QR code can encode Ctrl key combinations. As a result, attacker can send key combinations to host computer by scanning one or one set of crafted barcode, to open system common dialogs, and possibly execute arbitrary command.

Many barcode scanner manufacturers also support proprietary customization features in their products. By utilizing these features, attacker can send system hotkeys by scanning a barcode, for example sending "Win+R" to bring up the Run dialog, which makes it much easier to achieve the attack.

For laser barcode scanners, attacker can also use a beam of fast flashing laser to emulate a barcode. Theoretically, it is possible to conduct this attack from 1000 meters away.


Q & A

Is BadBarcode a bug?

BadBarcode is not an implementation bug but a design flaw. Symbologies such as Code 128 supports encoding control characters, and devices work in Keyboard Simulation Mode. These two seemingly logical designs, when combined, become a security vulnerability.

 

Is the BadBarcode attack only effective in short distance?

Not exactly. For laser barcode scanner, attacker can use laser beam to conduct long-distance attacks. Attackers can also tamper with barcode displayed on user's cellphones via network penetration.

What does BadBarcode attack look like?

Scan QR code on a cellphone, resulting in an application download and execution:

 

BadBarcode attack via laser beam:


Note: the red light spot on the table is from laser device rather than the barcode scanner.

Which operating systems are vulnerable to BadBarcode?

BadBarcode is OS independent. Any OS could be vulnerable to this attack as long as there are hotkeys that can perform privileged operations. These privileged operations are not limited to command execution, they can also be manipulating application input, like modifying discount value in POS system.

Which barcode scanners are vulnerable to BadBarcode?

In theory, any barcode scanner that works in Keyboard Simulation mode and supports any one of the Code 128 / PDF417 / QR code symbologies that can encode control characters is vulnerable. In other words, it means that vast majority of barcode scanners in the world are vulnerable. The models we tested and confirmed to be vulnerable are listed below:

Motorola/Zebra LS3578
Honeywell(Intermec) SG20B
Datalogic GBT4400
Denso SE1-QB
Sick IDM160PDF BT PS/2 Kit
Cognex DataMan8600
Fujian Newland HR3220-SV
Opticon OPL-9813
Cipherlab 1564A
Code CR2600
KOAMTAC KDC450
WASP WWS850
Socket SocketScan 10
Unitech MS910
Mindeo MD2000
Access IS LSR120

Who found the BadBarcode vulnerability?

The BadBarcode research was a collaboration between Yang Yu (@tombkeeper) and Hyperchem Ma, both from Tencent's Xuanwu Lab.

When was BadBarcode vulnerability disclosed?

We disclosed this vulnerability at the following conferences:

GeekPwn held on October 25, 2015 in Shanghai, China

PacSec held on November 12, 2015 in Tokyo, Japan

Is there any CVE ID for BadBarcode?

We requested a CVE ID, but got the following response from MITRE:

"The vulnerability for which you requested a CVE ID does not affect a product that is in scope for CVE at this time, and so it cannot be assigned a CVE ID."

How to fix BadBarcode vulnerability?

Ctrl key combinations and manufacturers' proprietary customization features are not needed in most situation. We suggest manufacturers disable these features by default in future product release and firmware updates, and make sure they can only be enabled from host computer.

We had tried contacting some of the vendors and encourage them to fix the BadBarcode vulnerability, but they seem lacking enough incentive to address this, possibly because this is a widespread issue affecting the entire industry. We suspect this issue will continue to exist for a very long time.

How to mitigate this vulnerability if you have to use a vulnerable scanner?

You can disable privileged operations hotkey in both operating system and application, such as "Ctrl+Esc" and "Win+R" in Windows.

标签:条形码,vulnerability,laser,BadBarcode,barcode,漏洞,attack,vulnerable
From: https://www.cnblogs.com/faxiaoyu/p/17296047.html

相关文章

  • 威纶通与三菱PLC条码枪解码程序本程序是威纶通触摸屏USB接头直接插条形码扫码枪,得到的
    威纶通与三菱PLC条码枪解码程序本程序是威纶通触摸屏USB接头直接插条形码扫码枪,得到的数据传送到PLC中进行解码,转化成为PLC能识别的十进制,用于需要使用扫码枪设定数据是非常实用,当然带485通信的扫码枪直接与PLC通信不需要这一步,到时带485枪比较贵,普通的USB就100左右,带串口的通常上......
  • 简析反序列化漏洞
    反序列化漏洞反序列化漏洞一、漏洞原理相关概念什么是序列化与反序列化?漏洞成因常见魔术方法总结二、漏洞危害三、漏洞出现场景四、检测方法五、防御六、漏洞复现一、漏洞原理相关概念什么是序列化与反序列化?序列化:把对象的状态信息转换为可以存储或传输的形式的过程,一般......
  • 小皮1-click漏洞的代码审计学习笔记
    漏洞简介漏洞起源于前段时间比较火的小皮1-click漏洞,用户名登录处缺少过滤,导致可以直接构造恶意payload实现存储型XSS,结合小皮本身所具有的计划任务,XSS+CSRF实现了RCE。因为用户名登录处缺少过滤,所以可以尝试SQL漏洞。环境搭建windows上实际操作了一下,不方便进......
  • 堆块chunk介绍及unlink漏洞利用原理
    堆块chunk介绍及unlink漏洞利用原理chunk结构当进程动态分配内存时,系统会在堆中创建一个chunk(堆块)。chunk包含chunk头和chunk体两部分chunk头中有两个字段:prev_size:前一个chunk的size,前指的之前分配的内存,也就是低地址相邻的chunksize:当前chunk的size,size字段的低3位A,M,P不......
  • golang CVE-2016-2183漏洞,https需要添加tls设置加密算法CipherSuites白名单,将弱加密算
    golangCVE-2016-2183漏洞,https需要添加tls设置加密算法白名单,将弱加密算法DES和3DES去掉。服务端样例代码packagemainimport("crypto/tls""fmt""net/http")funchandler(writerhttp.ResponseWriter,request*http.Request){fmt.Fprintf(wri......
  • 文件包含漏洞
    文件包含渗透1.项目实验环境2.原理及危害文件包含漏洞:即FileInclusion,意思是文件包含(漏洞),是指当服务器开启allow_url_include选项时,就可以通过php的某些特性函数(include(),require()和include_once(),require__once())利用ur1去动态包含文件,此时如果没有对文件来......
  • 文件上传漏洞
    文件上传漏洞原理1、文件上传(FileUpload)是大部分web应用都具备的功能,例如用户上传附件、修改头像、分享图片/视频等2、正常的文件一般是文档、图片、视频等,Web应用收集之后放入后台存储,需要的时候再调用出来返回3、如果恶意文件如PHP、ASP等执行文件绕过Web应用,并顺......
  • 04_靶机Kioptrix1.2:CMS漏洞利用,使用ht编辑器修改sudoers文件提权,mysql查询
    思路:发现主机后进行目录扫描,发现登录口标注了CMS的版本,查看该类型CMS有没有漏洞,针对漏洞去github搜索脚本,拿到脚本后运行得到靶机的初级Shell,根据靶机内的文件内容指示使用ht编辑器,利用编辑器去修改用户的权限然后提权,拿到root权限结束基操代码不再粘贴首先进行目标靶机地址的......
  • 漏洞丨CVE20102883
    作者丨黑蛋一、漏洞描述此漏洞编号CVE-2010-2883,看着是一个很简单的栈溢出漏洞,但是也要看怎么玩了。这个漏洞是AdobeAcrobatReader软件中CoolType.dll在解析字体文件SING表中的uniqueName字段的调用了strcat函数,但是对参数没有做出判断,没有检查uniqueName字段长度,导致了栈溢出......
  • PfSense pfBlockerNG 未授权RCE漏洞(CVE-2022-31814)
    PfSensepfBlockerNG未授权RCE漏洞(CVE-2022-31814)概述PfSense系统的插件pfBlockerNG引起的未授权RCE漏洞pfSense是一个基于FreeBSD操作系统开发的防火墙和路由器软件......