The Forger’s Art: Exploiting XML Digital Signature Implementations presented at HITBSecConf Malaysia 2013

by James Forshaw,

Summary : Many security critical systems rely on the correct implementation of the XML Digital Signature standard for the purposes of verification and identity management. Technologies such as SAML and Web Service Security use the standard, and its sibling XML Encryption, to manage the security of these technologies.
Being a standard there is, unsurprisingly, no canonical implementation for any platform or language, with so many different developments there are likely to be differences in how the standard is interpreted leading to flaws specific to that implementation.
This presentation is about some research done against the main open and closed source implementations of XML Digital Signatures, how they can be exploited to gain remote code execution, signature verification bypass or denial of service. It will show some of the more nasty vulnerabilities found during the research including a couple of novel attacks which allow for trivial signature spoofing exposing any user of those implementations into accepting an invalid signature unless they go out of their way to prevent it.
This presentation will cover several examples of unconventional chained exploits used in real-world penetration tests; provide a detailed technical walkthrough of the exploits used along with some tricks to gain unauthorized access and bypass security controls on critical network components. In closing, this presentation will look beyond adaptive penetration testing by providing a glimpse into some of the future directions in the use of unconventional chained exploits that are currently being explored by independent researchers around the globe.