201809-01

Insecure signature validation

Background

XMLSecLibs is a library written by Rob Richards that implements the xml-enc and xml-dsig W3C recommendations. It allows its users to handle encrypted and digitally signed XML documents. SimpleSAMLphp delegates encryption and signature handling to this library.

Description

When verifying a digital signature embedded on an XML document, the validateDigest() method of the XMLSecurityDSig class of XMLSecLibs computes the digest of the signed fragment of the document using the algorithm specified. Once this digest is computed, it is then compared to the given digest that’s being evaluated (which should be in turn encrypted with the private asymmetric key of the signer). The comparison is performed by means of the regular == PHP operator.

The issue is precisely the use of this operator. Since PHP is a loosely typed language, this operator will convert its operands to integers when possible. This conversion will take into account the values represented by the strings, even supporting scientific number notation. Due to this, PHP will evaluate the strings "1e3" and "1000" as equal.

Given this premise, there is a case where digests can be evaluated equal regardless of their actual values, based only on the integer equivalence they represent. Two strings starting with "0e" and followed by digits will always be evaluated as equal.

Affected versions

All robrichards/xmlseclibs versions 1.x, 2.x and 3.x are affected, up to (including) 1.4.2, 2.0.1 and 3.0.1, respectively.

Impact

An attacker could leverage this issue to modify a signed XML document and have the signature validated without access to the signing key.

However, two prerequisites need to concur to make this issue exploitable, effectively lowering its impact:

• The original signed digest must start with "0e" and be followed by digits exclusively.
• The digest of the modified XML document must also start with "0e" and be followed by digits exclusively, so the attacker must be able to modify the document in a way such as its digest meets the requirement.

The probability of such an event has been considered to be around 2^-99.

Resolution

Upgrade to the latest versions of the library.

For SimpleSAMLphp users, run composer update or upgrade to SimpleSAMLphp 1.16. Refer to the documentation for instructions on how to run composer.

Credit

This security issue was discovered during a security audit performed by Cure53 and reported on December 18, 2017.