Forge PKCS1v1.5 signature for questionable implementation of verification algorithms...
This repository contains a Python 2 implementation of the Bleichenbacher signature forgery attack. Having seen this variant of the attack multiple times during the last year both in CTFs and in real implementations showed the need for a more general solution than the hacky frankenstein scripts I have laying around.
PKCS1v15 is defined in https://www.ietf.org/rfc/rfc3447.txt. If the verification algorithm is trying to parse the result of the public key operation instead of building the expected data and comparing it to the result of the public key operation there is a possibility that it might be vulnerable to this attack.
Two variants of the attack is supported:
- The length is not checked and a the padding is on the form
0001FFFFFFFFFFFFFFFF00 | DigestInfo | garbage - The filler (PS) is not checked -
0001FFFFFFFFFFFFFFFF | garbage | 00 | DigestInfo
More info on variant 1. can be found at: https://www.ietf.org/mail-archive/web/openpgp/current/msg00999.html
Credit for variant 2. goes to Fillipo Valsorda (https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/)
usage: Forge.py [-h] [-k KEYSIZE] [-ha {SHA-384,SHA-256,SHA-512,SHA-1,MD5}]
[-m MESSAGE]
Signature forger for RSA PKCS1v1.5 given that the exponent 3 is used and the
verification algorithm is not implemented properly
optional arguments:
-h, --help show this help message and exit
-k KEYSIZE, --keysize KEYSIZE
-ha {SHA-384,SHA-256,SHA-512,SHA-1,MD5}, --hashalg {SHA-384,SHA-256,SHA-512,SHA-1,MD5}
-m MESSAGE, --message MESSAGE
Will update SoonTM
plz use PSS