[Simsec] Do these two SIMs have MSL=0 for some TARs?

Lukas Kuzmiak lukas at srlabs.de
Sat Jan 4 17:50:15 CET 2014

Hi Ondrej,

the AppDeSelect bug is fixed in SIMTester v1.5 [1], thanks to your report, this should not be a problem anymore - it has most probably been caused by the SIM card not supporting the command, so if the command fails once it’s being skipped in order to continue with the scan. Not being able to process messages from fuzzer16 is also a sign of card not really following the standard.

The Vinaphone card returns SW 9000 on INSTALL [for load] APDU, usually the response should be 6101 to be able to continue with the loading of the applet to the card, it’s not possible to tell whether the card would allow it or not based on 9000 response, however feel free to try this yourself, more info can be found in TS 102226 and/or TS 102221. Basically you have to issue a INSTALL [for LOAD] APDU, if card accepts that, go ahead with LOAD APDU(s) to transfer actual applet data and then issue INSTALL [for INSTALL] command to create an instance of the package you’ve downloaded.

For Vodafone CZ card most of the applet TARs seem proprietary and it is not known what the applets are for. Unfortunately it is not possible to scan available APDU(s) on the TARs as none of the TARs provide additional response data and therefore it is impossible to differentiate between successful and unsuccessful APDU/command.

Thanks for your bug submission and feel free to post a follow-up if you decide to research the MSL 0x00 potential.


[1] - https://opensource.srlabs.de/projects/simtester

Lukas Kuzmiak
Security Research Labs

On 03 Jan 2014, at 14:30, Ondrej Mikle <ondrej.mikle at gmail.com> wrote:

> Hi,
> I've found two SIMs that seem to have interesting properties.
> First one is Vinaphone VN SIM (partial fuzz at [0]), which seems to have card manager TAR 000000 totally unlocked. However, I'm not 100% sure since it requires me to comment out 'Fuzzer.applicationDeselect()' - the SIM simply won't handle the "00 A4 04 00 00" APDU and ends up in "card not transacted state". On a side note it also won't handle fuzzer16 and stops responding (even if fuzzer16 is run alone, hence the incomplete fuzz csv). 
> Am I interpreting the fuzz results correctly that TAR 000000 is not protected at all, which would allow unauthenticated app installation?
> Second fuzz [1] for Vodafone CZ card is a bit less interesting. Though if I understand correctly, it has some proprietary TARs 443231, 505348, 534054, EED201, EEE201 that are not protected, correct? Though no idea what those TARs do.
> [0] https://www.constructibleuniverse.net/sim/Vinaphone_VN_FUZZ_89840200021115721554_1388696295162.csv
> [1] https://www.constructibleuniverse.net/sim/Vodafone_CZ_FUZZ_8942031013122766943_1388658485311.csv
> Regards,
> Ondrej
> _______________________________________________
> Simsec mailing list
> Simsec at lists.srlabs.de
> https://lists.srlabs.de/cgi-bin/mailman/listinfo/simsec

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.srlabs.de/pipermail/simsec/attachments/20140104/324ecb44/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4127 bytes
Desc: not available
URL: <http://lists.srlabs.de/pipermail/simsec/attachments/20140104/324ecb44/attachment.bin>

More information about the Simsec mailing list