-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
buffer overflow in PKCS1v1.5 signature verification #155
Comments
@dfaranha: Following up on this issue, I guess the buffer overflow issue has not been properly addressed yet. In short, I think this issue stems from failing to check the tailing garbage bytes. Detailed root cause. The implementation does not check that after the hash value bytes, there are no tailing garbage bytes. Once Reference notation
Parameter settings
Examples
|
You are absolutely right, and I have pushed a new fix attempting to solve this. |
Actually besides the problems mentioned in #154, there seems to be additional problems in the PKCS1v1.5 signature verification code that can lead to a buffer overflow attack.
Although the variable
pad_len
is set according to prior knowledge on line 965, it will actually be overwritten on line 1000 by the call topad_pkcs1()
.And because
pad_pkcs1()
doesn't require that the padding is 1) at least 8-byte long; 2) long enough so that there'd be no extra trailing bytes after the hash value, the value ofpad_len
can be set to a really small number when given a malformed signature with really short padding. Then on line 1013 it is possible to havesize - pad_len
to be a really large value, larger than the size ofh1
allocated on line 949, which can lead to a buffer overflow.Similar problems of not requiring a padding with appropriate length was found in some other implementations before, and that can usually be exploited for signature forgery (like in Bleichenbacher's original attack). However, in this case it will induce a buffer overflow instead because of how
pad_len
was used to calculate the size of a subsequent buffer write (though I suspect the variableresult
might be set toRLC_EQ
after line 1033).Here's a proof-of-concept code demonstrating the problem, which should give a Segmentation Fault upon the completion of the signature verification:
The text was updated successfully, but these errors were encountered: