119
edits
Changes
Jump to navigation
Jump to search
Line 114:
Line 114: + + + + + + + + + + + + +
→Hardware: sighax
| February 7, 2017
| February 7, 2017
| [[User:Yellows8|Yellows8]]
| [[User:Yellows8|Yellows8]]
|-
| sighax: Boot9 improper PKCS #1 v1.5 signature validation
| The [[Flash_Filesystem|FIRM partitions]] are signed with RSA-2048 using SHA-256 and PKCS #1 v1.5 padding. Boot9, however, does improper validation of the padding in three ways:
# Boot9 permits block type 02, meant for encrypted messages, to be used for signatures. Only 01, for signatures, should have been permitted. As a result, a signature block is not required to have a long string of FF bytes as padding, but rather any random values suffice. While correct for encryption, this severely lessens security of signatures.
# Boot9 does not require that the length of the padding fill out the signature block completely. As a result, there is considerable freedom in the layout of a signature.
# Boot9 fails to do bounds checking in its parsing of the DER-encoded hash algorithm type and hash value; the length values given in DER are permitted to point outside the signature block.
Flaw 3 allows the DER encoding to be such that boot9 believes that the signature's hash value is outside the range of the block itself, somewhere on the stack. This can be pointed at the correct hash value it computes. Boot9 then memcmp's the calculated hash against itself, and thinks that the hash is valid.
When all three flaws are combined, a brute force in a reasonable amount of time can find a signature that passes all checks.
| None
| New3DS
| November 2015
| [[User:Derrek|derrek]]
|}
|}