Next Page >>
signature
1.3 onward, including ISO 19005-1:2005 (PDF/A-1) and ISO 32000-1:2008
(equivalent to PDF 1.7), ostensibly defines a mechanism for digitally
signing a document's contents so as to integrate cryptographic
authentication of a document's contents into the existing container
format. A common use of this mechanism is for the creation of supposedly
non-repudiable signatures on legal documents, including scenarios where
digital signatures are mandated by law.
This advisory shows how a signed PDF document can be constructed in such a
way that its appearance can be changed without necessarily invalidating the
signature.
Dear Mr. Naujoks,
yes, I can see your point, too.
I totally agree that users need to be educated, but I still think
that MS Office shall take a share to educate and inform users of
their digital signature's scope.
From: "Naujoks, Hans-Dietmar" <Hans-Dietmar.Naujoks@tuev-sued.de>
Date: 12/14/2007 2:56:15 PM +010
> [...]
> In fact the visual clue you gave for a signed document in Word 2007
-----Ursprngliche Nachricht-----
Von: Henrich C. Poehls [mailto:poehls@informatik.uni-hamburg.de]
Gesendet: Freitag, 14. Dezember 2007 12:08
An: Naujoks, Hans-Dietmar
Cc: bugtraq@securityfocus.com
Betreff: Re: MS Office 2007: Digital Signature does not protect Meta-Data
Dear Mr. Naujoks,
thanks for the feedback.
From: "Naujoks, Hans-Dietmar" <Hans-Dietmar.Naujoks@tuev-sued.de>
> I think Microsoft does not consider metadata attached to a document as
> part of the document and so they decided not to include it in the
> content protected by the certificate.
Considering that the MetaData not protected by the signature contains
among others:
1.) Author
2.) Dates of creation and last change
3.) State Information
I do think that most people, certainly the users, would feel that this
>=20
> This fits the way we use attaching metadata during the process of categor=
ization to enable retrieval of a document by means and taxonomies of the re=
cipient, not of the author. If instead, as you seem to propose, metadata wo=
uld be treated as part of the document, attaching the metadata needed for r=
etrieval purposes would invalidate the signature of the document.=20
>=20
> Therefore this time I would go with Microsoft for their solution fits our=
needs and doesn't compromise the integrity protection of the document itse=
lf in any serious way. Just think of it as a sticker placed on the outside =
of a sealed envelope: You mustn't trust anything on the outside, just look =
Dear Mr. Poehls,
I think Microsoft does not consider metadata attached to a document as part of the document and so they decided not to include it in the content protected by the certificate.
This fits the way we use attaching metadata during the process of categorization to enable retrieval of a document by means and taxonomies of the recipient, not of the author. If instead, as you seem to propose, metadata would be treated as part of the document, attaching the metadata needed for retrieval purposes would invalidate the signature of the document.
Therefore this time I would go with Microsoft for their solution fits our needs and doesn't compromise the integrity protection of the document itself in any serious way. Just think of it as a sticker placed on the outside of a sealed envelope: You mustn't trust anything on the outside, just look inside the envelope to find the information you can rely on.
Yours
H.-D. Naujoks
Microsoft Office documents can carry URLs as clickable
references. The target of URLs given in the document
are stored in word/_rels/document.xml.rels inside
the OOXML ZIP container. Inside you will see the
hyperlink, referenced by an internal ID and the target.
The target can be changed without invalidating the signature.
At least in the GUI a hyperlink's target is shown to the user.
Neverthe less the signature does not revel that it has been
changed without the signer's knowledge.
MIT krb5 (releases krb-1.7 and newer) incorrectly accepts an unkeyed
checksum with DES session keys for version 2 (RFC 4121) of the GSS-API
krb5 mechanism.
MIT krb5 (releases krb5-1.7 and newer) incorrectly accepts an unkeyed
checksum for PAC signatures. Running exclusively krb5-1.8 or newer
KDCs blocks the attack.
MIT krb5 KDC (releases krb5-1.7 and newer) incorrectly accepts RFC
3961 key-derivation checksums using RC4 keys when verifying the
req-checksum in a KrbFastArmoredReq.
Cisco Unified IP Phones 7900 Series devices, also known as TNP
phones, are affected by three vulnerabilities that could allow an
attacker to elevate privileges, change phone configurations, disclose
sensitive information, or load unsigned software. These three
vulnerabilities are classified as two privilege escalation
vulnerabilities and one signature bypass vulnerability.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds available to mitigate these
vulnerabilities.
according to the DublinCore metadata in the file
docProps/core.xml . Among these meta data information
are the fields "LastModifiedBy", "creator" together with
several others that can be displayed/changed through the
following menu "Office Button -> Prepare -> Properties".
These entries can be changed without invalidating the signature.
At least under Windows Operating Systems these information are
also shown in the Window's file systems properties.
III. Impact
a trusted third party, is embedded in the signed document.
II. Problem Description
The digital signature and the certificates are stored in the
ODF ZIP container in the file META-INF\documentsignatures.xml.
OpenOffice does store the public-key certificate in X509 format
in the XML file under META-INF\documentsignatures.xml.
Additionally OpenOffice replicates all the information contained
shellcode are different. Therefore, hard-coded addresses were inserted
into shellcode and this made exploits very version-dependent.
I have been working on a way around this and here is the first
iteration of just one of the solutions to the problem. It uses a
search routine to locate 4-byte signatures that occur near references
to the required addresses within the IOS image located in the "text"
memory region. The addresses are then recovered from memory and used
within the shellcode.
Cheers,
# openssl x509 -in MD5CollisionsInc.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 66 (0x42)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global
eBusiness CA-1
Validity
Not Before: Jul 31 00:00:01 2004 GMT
Not After : Sep 2 00:00:01 2004 GMT
#2008-016 multiple OpenSSL signature verification API misuse
Description:
Several functions inside the OpenSSL library incorrectly check the result
after calling the EVP_VerifyFinal function.
This bug allows a malformed signature to be treated as a good signature
rather than as an error. This issue affects the signature checks on DSA
and ECDSA keys used with SSL/TLS.
=============================================================================
FreeBSD-SA-09:02.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL incorrectly checks for malformed signatures
Category: contrib
Module: openssl
Announced: 2009-01-07
Credits: Google Security Team
I've just got an interesting idea about how a malicious e-mail sender
could try to get a unseen by the recipient reading confirmation,
including the IP address of the recipient. I was working on S/MIME
messages and I thought about the signature validation process, where
some of the steps could require external information (like a CRL) to
be accessed. The interesting part of it is that the location of this
information can be included in the message itself, as the PKCS#7
package can also include the certificate used to generate the
signature.
It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch. Furthermore, all DSA keys ever used
on affected Debian systems for signing or authentication purposes should
be considered compromised; the Digital Signature Algorithm relies on a
secret random value used during signature generation.
The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
distribution on 2006-09-17, and has since propagated to the testing and
current stable (etch) distributions. The old stable distribution
Multiple security vulnerabilities has been identified and fixed
in xmlsec1:
A missing check for the recommended minimum length of the truncated
form of HMAC-based XML signatures was found in xmlsec1 prior to
1.2.12. An attacker could use this flaw to create a specially-crafted
XML file that forges an XML signature, allowing the attacker to
bypass authentication that is based on the XML Signature specification
(CVE-2009-0217).
Problem Description:
A vulnerability has been found and corrected in xmlsec1:
A missing check for the recommended minimum length of the truncated
form of HMAC-based XML signatures was found in xmlsec1 prior to
1.2.12. An attacker could use this flaw to create a specially-crafted
XML file that forges an XML signature, allowing the attacker to
bypass authentication that is based on the XML Signature specification
(CVE-2009-0217).
Stack-based buffer overflow in the parse_tag_11_packet function in
fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel
before 2.6.30.4 allows local users to cause a denial of service
(system crash) or possibly gain privileges via vectors involving a
crafted eCryptfs file, related to not ensuring that the key signature
length in a Tag 11 packet is compatible with the key signature buffer
size. (CVE-2009-2406)
Heap-based buffer overflow in the parse_tag_3_packet function in
fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel
17 --listen-- 192.0.2.1 500 0 0 1011 0
17(v6) --listen-- --any-- 500 0 0 20011 0
Router#
IKE configurations that are performing certificate based
authentication will display "Rivest-Shamir-Adleman Signature" as the
authentication method in the output of the "show crypto isakmp policy"
command. This output is shown in the following example:
Router#show crypto isakmp policy
=============================================================================
FreeBSD-SA-09:04.bind Security Advisory
The FreeBSD Project
Topic: BIND DNSSEC incorrect checks for malformed signatures
Category: contrib
Module: bind
Announced: 2009-01-13
Credits: Google Security Team
Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A flaw was found in how NTP checked the return value of signature
verification. A remote attacker could use this to bypass certificate
validation by using a malformed SSL/TLS signature (CVE-2009-0021).
The updated packages have been patched to prevent this issue.
_______________________________________________________________________
Paper Summary
============
Framework modification can be achieved by tampering with a Framework DLL and "pushing" it back into the Framework.
The process is composed of several steps, described thoroughly at the corresponding whitepaper.
It also exposes a flaw in the manner in which a .NET Framework DLL is loaded, and how it is possible to bypass its signature mechanism.
Instead of re-signing tampered DLL's with a spoofed Microsoft signature key - surprisingly, it was found during this research that the modified DLL can be directly copied to the correct location at the file system, because the SN mechanism does not check the actual signature of a loaded DLL but blindly loads the DLL based on the directory name with the corresponding signature name!
It is important to mention that this technique does not requires "full trust" permissions, which further proves the fact that the GAC / CAS protection mechanisms are broken.
This paper also introduces ".Net-Sploit" - a new tool for building MSIL rootkits that will enable the user to inject preloaded/custom payload to the Framework core DLL.
internally. This may happen at program startup or through the "Check for
Updates" link often provided in the Help menu of such applications.
Note also, that in addition to the above flaw. There also appear to be flaws
in the implementation and use of these services. It has also been noted that
vendors largely appear to ignore the apparent signature capabilities of the
product to provide cryptographic signatures for the actual executable update
files that are downloaded and executed -- largely over HTTP. This implies
additional paths of code execution using the MiTM techniques mentioned. These
paths have not been explored in depth, but appear to exist due to the lack of
signature information in updates. The update information itself is not
Summary
=======
The Cisco IOS Intrusion Prevention System (IPS) feature contains a
vulnerability in the processing of certain IPS signatures that use
the SERVICE.DNS engine. This vulnerability may cause a router to
crash or hang, resulting in a denial of service condition.
Cisco has released free software updates that address this
vulnerability. There is a workaround for this vulnerability.
Stack-based buffer overflow in the parse_tag_11_packet function
in fs/ecryptfs/keystore.c in the eCryptfs subsystem allows local
users to cause a denial of service (system crash) or possibly gain
privileges via vectors involving a crafted eCryptfs file, related
to not ensuring that the key signature length in a Tag 11 packet is
compatible with the key signature buffer size. (CVE-2009-2406)
Multiple integer signedness errors in the TIPC implementation allow
local users to gain privileges via a crafted sendmsg call that
triggers a heap-based buffer overflow, related to the tipc_msg_build
Debian-specific: no
CVE ID : CVE-2011-2516
Debian bug : 632973
It has been discovered that xml-security-c, an implementation of the XML
Digital Signature and Encryption specifications, is not properly handling
RSA keys of sizes on the order of 8192 or more bits. This allows an
attacker to crash applications using this functionality or potentially
execute arbitrary code by tricking an application into verifying a signature
created with a sufficiently long RSA key.
CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks via CRLF sequences in the query string
(CVE-2008-3906).
The XML HMAC signature system did not correctly check certain
lengths. If an attacker sent a truncated HMAC, it could bypass
authentication, leading to potential privilege escalation
(CVE-2009-0217).
Packages for 2008.0 are being provided due to extended support for
The following patches have been verified to apply to FreeBSD 7.1, 7.2,
and 8.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch
# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch.asc
Next Page>>
|
