Listen to this Post
The vulnerability exists within the `ReadFile()` function of the gmrtd library, which processes BER-TLV encoded data from NFC/APDU sources via a Transceiver interface. In BER-TLV encoding, a Tag-Length-Value (TLV) object’s length can be encoded in short or long form. The flawed implementation did not enforce a maximum bound on the value of the long-form length field. A malicious or non-compliant NFC endpoint could craft a TLV object advertising an extremely large length value (e.g., up to 4 gigabytes). When `ReadFile()` processes this adversarial input, it enters a loop attempting to read the declared amount of data. This causes the library to perform a massive number of read iterations and allocate excessive memory to hold the anticipated payload, leading to severe CPU consumption, memory exhaustion, and indefinite application hangs, resulting in a Denial of Service.
Platform: gmrtd
Version: prior v0.17.2
Vulnerability : Unbounded TLV DoS
Severity: Critical
date: N/A
Prediction: Fixed v0.17.2
What Undercode Say:
Check current gmrtd version
go list -m github.com/ebfe/gmrtd
Simulative code snippet showing unbounded length parsing (conceptual)
func parseTLV(data []byte) {
lengthByte := data[bash]
if lengthByte & 0x80 { // Long-form
numBytes := lengthByte & 0x7F
// Missing bounds check on numBytes here
length = parseMultiByteLength(data[2:2+numBytes]) // Can be huge
}
// Allocate buffer for 'length' -> Potential exhaustion
buffer := make([]byte, length)
}
Post-fix, length is validated against a constant MAX_TLV_LENGTH
How Exploit:
Malicious NFC endpoint transmits BER-TLV data with an excessively large value in the long-form length field (e.g., 0x84FFFFFF). The victim application using gmrtd’s `ReadFile` attempts to process it, triggering resource exhaustion loops.
Protection from this CVE:
Upgrade to v0.17.2. Implement strict input validation for TLV length fields in any custom parsers. Use library-enforced maximum read limits.
Impact:
Application Denial-of-Service. CPU and memory resource exhaustion. Application hang/crash.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

