In memory of Ben “bushing” Byer, who passed away on Monday, February 8th, 2016.

Difference between revisions of "Signing bug"

From WiiBrew
Jump to navigation Jump to search
(Do we really need to stretch the truth about this stuff? Clarifying current existence of the bug.)
(henke: plz 2 not delete my text and replace it with errors kthx)
Line 1: Line 1:
Here is an extremely concise example of the same type of bug that exists on most versions of IOS, excluding a few that had been updated by [[June16 update|the June 16th, 2008 Wii Software Upgrade]]:
+
Here is a pseudocode implementation the shows the hash-comparison bug present in some versions of IOS:
 +
<source lang=c>
 +
struct rsa_cert {
 +
    u32 key_id;
 +
    char rsa_signature[1024];
 +
    char metadata[32];
 +
    char content_hash[20];
 +
};
  
char *hash1=hash(realstuff);
+
int verify_cert (struct rsa_cert cert) {
+
  char *cert_hash=SHA1(cert.metadata + cert.content_hash);
invalid=strncmp(hash1,signaturehash,HASHLENGTH);
+
  char *sig_hash=rsa_decrypt(cert.rsa_signature, cert.key_id);
 
if(invalid!=0) {
 
  pretendItsNotAWiiDisc();
 
}
 
  
 +
  if (strncmp(cert_hash, sig_hash, SHA1_LENGTH) == 0) {
 +
    return CERT_OK;
 +
  } else {
 +
    return CERT_BAD;
 +
  }
 +
}
 +
 +
int is_a_valid_disc(struct rsa_cert cert, char *disc_hash) {
 +
  if(memcmp(disc_hash, cert.content_hash, SHA1_LENGTH) != 0)  {
 +
    return DISC_BAD;
 +
  }
 +
 +
  if(verify_cert (cert) == CERT_BAD) {
 +
    return DISC_BAD;
 +
  } else {
 +
    return DISC_OK;
 +
  }
 +
}
 +
</source>
 
      
 
      
The bug here is that the hash can (and likely does) contain a NULL byte, (chr)0 that is.
+
The bug here is that cert_hash may contain a NULL byte ('\0').
 
To quote from the first google hit for strncmp:
 
To quote from the first google hit for strncmp:
  
Line 18: Line 40:
 
This last part means that if it finds a NULL byte, it stops comparing, '''even if there is more data after the NULL'''.
 
This last part means that if it finds a NULL byte, it stops comparing, '''even if there is more data after the NULL'''.
  
This reduces the effective length of the hash to the number of bytes before the NULL byte. This means that the difficulty of finding a hash collision is reduced from 2^(HASHLENGTH*8) to 2^(bytes before the null * 8). That is a big change if the NULL is early in the hash. Assuming the NULL is at the 5th byte, that means that there is a one in 2^(4*8) chance that the hash matches, or one in 4 294 967 296, fairly computable within a reasonable time frame on a current computer that can try a few million hash inputs each sec.
+
This reduces the effective length of the hash to the number of bytes before the NULL byte, and the difficulty of finding a hash collision is reduced from 2^(HASHLENGTH*8) to 2^(bytes before the null * 8). That is a big change if the NULL is early in the hash. Assuming the NULL is at the 5th byte, that means that there is a one in 2^(4*8) chance that the hash matches, or one in 4 294 967 296, fairly computable within a reasonable time frame on a current computer that can try a few million hash inputs each sec.
 
 
Now, it would require a signed contents that begins with a null to completely bypass the checking. Normally, that would mean a need to find an existing signed content that can be exploited. But, the hashing function has an important behavior, with only null bytes as the input, the hash is only null bytes. Given that we control all the hashed data and can safely set it all to null, we don't even need to piggyback on something that Nintendo have already signed.
 
  
 
tmbinc has a more thorough explanation [http://debugmo.de/?p=61 here].
 
tmbinc has a more thorough explanation [http://debugmo.de/?p=61 here].

Revision as of 06:55, 16 July 2008

Here is a pseudocode implementation the shows the hash-comparison bug present in some versions of IOS: 

struct rsa_cert {
    u32 key_id;
    char rsa_signature[1024];
    char metadata[32];
    char content_hash[20];
};

int verify_cert (struct rsa_cert cert) {
  char *cert_hash=SHA1(cert.metadata + cert.content_hash);
  char *sig_hash=rsa_decrypt(cert.rsa_signature, cert.key_id);

  if (strncmp(cert_hash, sig_hash, SHA1_LENGTH) == 0) {
     return CERT_OK;
  } else {
     return CERT_BAD;
  }
}

int is_a_valid_disc(struct rsa_cert cert, char *disc_hash) {
   if(memcmp(disc_hash, cert.content_hash, SHA1_LENGTH) != 0)  {
     return DISC_BAD;
   }

   if(verify_cert (cert) == CERT_BAD) {
     return DISC_BAD;
   } else {
     return DISC_OK;
   }
}

The bug here is that cert_hash may contain a NULL byte ('\0'). To quote from the first google hit for strncmp:

"Compares up to num characters of the C string str1 to those of the C string str2. This function starts comparing the first character of each string. If they are equal to each other, it continues with the following pairs until the characters differ, until a terminating null-character is reached, or until num characters match in both strings, whichever happens first."

This last part means that if it finds a NULL byte, it stops comparing, even if there is more data after the NULL.

This reduces the effective length of the hash to the number of bytes before the NULL byte, and the difficulty of finding a hash collision is reduced from 2^(HASHLENGTH*8) to 2^(bytes before the null * 8). That is a big change if the NULL is early in the hash. Assuming the NULL is at the 5th byte, that means that there is a one in 2^(4*8) chance that the hash matches, or one in 4 294 967 296, fairly computable within a reasonable time frame on a current computer that can try a few million hash inputs each sec.

tmbinc has a more thorough explanation here.

Retrieved from "https://wiibrew.org/w/index.php?title=Signing_bug&oldid=18391"