Mozilla Falls To RSA Forgery Attack

Thomas Ptacek | September 14th, 2006 | Filed Under: Defenses, New Findings, Uncategorized

Marius comments, informing us of the advisory for Firefox, Thunderbert, and SeaMonkey: Mozilla’s independent implementation of RSA and X.509 also fails to validate signatures properly. We reported this to Mozilla as well, last week, but it was an obvious problem and Philip and Marius beat us by a mile (though in all fairness: Marius is smarter than me; properly handicapped, we crushed him.).

Philip Mackenzie and Marius Schilder of Google informed us of Daniel Bleichenbacher’s recent presentation of a common implementation error in RSA signature verification, a failure to account for extra data in the signature. For signatures with exponent 3 it is possible for an attacker to calculate a value for this extra data to make an altered message appear to be correctly signed, allowing the signature to be forged. Mozilla’s Network Security Services (NSS) library was vulnerable to this flaw.

The impact of this advisory: People can forge SSL certificates to unpatched Firefox. Get your mom to upgrade right now.

It’s important to note that this summary is probably wrong: the problem is not with exponent 3 signatures, it’s with failing to verify all the signature bits. There are plausible attack scenarios for larger exponents. Fortunately, the root CA certs are all either 3 or 65537, and the latter is probably not plausibly exploitable (you’d need huge moduli).

Nice catch, Philip and Marius.

We’ve been covering this for over a week. Now’s a good time to catch up:

• We explained a simple way attackers could manipulate the PKCS#1 signature block to insert an arbitrary SHA1 hash into a certificate that would validate.

• We pointed out what Ben Laurie said on the cryptography mailing list, that DNSSEC fell to this attack, bringing the Internet to it’s hypothetical knees.

• With Nate Lawson, we discussed what makes public key crypto hard
  from an implementer’s standpoint, and why safe public key makes eradicating buffer overflows seem easy.

• Also with Nate, we explained some of the math behind manipulating “short” signature values so that verifiers would expand them to bit patterns that trap verifiers into believing they’re message digests.

Later tonight, we’ll post the fourth in the series, discussing the various ways people might attempt to fix the problem, and why the simplest solution in this case is also the right one.