Did I discover a bug when reading a Desfire EV2 file with the Proxmark 3 RDV4? (stack smashing detected error)

I purchased a Desfire EV2 card to see if I want to implant the Flex version. I’m reading documentation on the tag and I’m testing commands on my Proxmark that contains Iceman firmware. The firmware is up-to-date.

[ Proxmark3 RFID instrument ]

MCU....... AT91SAM7S512 Rev B
Memory.... 512 KB ( 67% used )

Client.... Iceman/master/v4.16191-304-g3bc472c9b 2023-04-18 15:19:44
Bootrom... Iceman/master/v4.16191-304-g3bc472c9b 2023-04-18 15:19:44 
OS........ Iceman/master/v4.16191-304-g3bc472c9b 2023-04-18 15:19:44 
Target.... RDV4

I can list files on AID 000001 okay.

[usb] pm3 → hf mfdes lsfiles --aid 000001
[=] ------------------------------------------ File list -----------------------------------------------------
[+] ID |ISO ID| File type | Mode | Rights: raw, r w rw ch | File settings
[+] ----------------------------------------------------------------------------------------------------------
[+] 01 | e103 | 0x00 Standard data | Plain | eeee, free free free free | Size 15 / 0xF
[+] 02 | e104 | 0x00 Standard data | Plain | eeee, free free free free | Size 7680 / 0x1E00

I can read file ID 01 okay.

[usb] pm3 → hf mfdes read --aid 000001 --fid 01
[=] ------------------------------- File 01 data -------------------------------
[+] Read 15 bytes from file 0x01 offset 0
[=] Offset | Data | Ascii
[=] ----------------------------------------------------------------------------
[=] 0/0x00 | 00 0F 20 00 3B 00 34 04 06 E1 04 1E 00 00 00 | … .;.4…

When I try and read file ID 02, I get a “Stack Smashing Detected” error and PM3 crashes.

[usb] pm3 → hf mfdes read --aid 000001 --fid 02
[=] ------------------------------- File 02 data -------------------------------
*** stack smashing detected ***: terminated
./pm3: line 250: 566106 Aborted (core dumped) CLIENT "@"

Anyone happen to know why this could be happening?

I did write to the card with NFC Tools.

I’m too sleepy to write a coherent reply but it sounds like a buffer overflow…

1 Like

Yeah, that’s what I was thinking. I’ll report the issue on their Github after playing around with it for a bit.

I think I have over 7kb in the NDEF application. I may be saying that wrong since this stuff is new to me. I’m assuming that’s what “Size 7680” means for file id 2.