EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Verifying/decrypting random data

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
Posted: 08/09/2006 17:16:44
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155


I've found a big bug... if i try to verfy o decrypt this file that i've attached, my application hangs (using SBB 5 beta but with 4 it also happens).

Verifying, it hangs in issignaturedetached, and on decrypt, at decrypt function.

The error is the same, and is at:
function TElASN1Parser.DecodeField(InvokeCallBack: boolean {$ifdef HAS_DEF_PARAMS}= true{$endif}): integer;

It is always returning 2 with this file, and it gets into an infinite loop on:

procedure TElASN1Parser.Parse;
while DecodeField(true) >= 0 do;

The file is a signed file, but BASE64 codified; it was just a dummy test, and i felt really bad having this endless loop. I supposed that if the file wasn't a correct file, the components should exit with a error value, and nothing else.

Please, have a look... although my users won't do this, we've feeled very bad with this bug. It shows many bugs that may be hidden.

If you need anything else, here i am

[ Download ]
Posted: 08/09/2006 23:37:00
by Ken Ivanov (EldoS Corp.)

Thank you for letting us know about it. We will try to reproduce the issue and answer you as soon as possible.
Posted: 08/09/2006 23:46:29
by Ken Ivanov (EldoS Corp.)

The document you provided is stored in Base64-armoured unicode file. Since ElMessageVerifier works only with binary ASN.1 data, it will not provide correct results for such kind of files.

Please find attached the decoded version of the signature, it is verified fine for us.

[ Download ]
Posted: 08/10/2006 00:30:50
by Eugene Mayevski (EldoS Corp.)

I would also say, that there exists a format, and BASE64 encoding is NOT conformant to the format. In other words, it's junk, which we should not even attempt to decode.

Sincerely yours
Eugene Mayevski
Posted: 08/10/2006 03:20:54
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

I may have not explained well... but i think that Eugene is saying it.

I know that it's in BASE64, i know that it should be in binary form. But the bug, is that instead of returning SB_MESSAGE_ERROR_NO_ENCRYPTED_DATA,SB_MESSAGE_ERROR_INVALID_FORMAT, ... it gets into an endless loop.

Are you saying that if a "hacker" sends my users a "base64 signed file" as this, they'll get a total hang of the program?

I suppose that the error message codes are there for a reason ;).

If you know a routine that could be used to pre-check if the file is in a correct form, then OK. But I think that this could be used for example to execute arbitrary code with this "junk" file.

Have i explained better?
Posted: 08/10/2006 03:40:48
by Ken Ivanov (EldoS Corp.)

Actually, the parsing does not hang. Due to its structure, ASCII Unicode file is a valid ASN.1 sequence (it's a very long sequence of zero-length tags). That's why its processing takes a lot of time. So you will get an error result, but only after the signature is processed.

We will consider implementing some workaround for this.
Posted: 08/10/2006 03:53:14
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Let me say that i'm not sure of that...

On my AMD X2 4400 system with 2 Gb RAM (I think it's a fast system); I leave it running for a while... and the result are really bad:
- 1 processor (the one running the thread, is at 100% load)
- The memory use is 1 GB!!... really a high use for a 1Kb file :D

The process of verification has eaten 10 minutes use processor time; and it didn't stop; so i killed it.

I'll wait for that workaround...
Posted: 08/10/2006 04:19:20
by Ken Ivanov (EldoS Corp.)

I have added the problem to the bugtracker. It will be fixed in SecureBlackbox 5 release.
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.



Topic viewed 4551 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!