We are so used to all the jokes about programmers re-using online code and copypasting stuff from StackOverflow all the time that we sometimes forget about a sad reality – lots of public code is being copied blindly, and ‘if it works’, it more than often makes it to a production level… yes… including code that is incorporated into release build and signed binaries.
This brings a lot of interesting side-effects:
- signed binaries are often blindly trusted, so vulnerable code that makes it into a signed binary is a big bonus for researchers/attackers (follow hFireFOX and his kernel driver copypasta discoveries)
- a code that uses a hardcoded set of crypto primitives will be vulnerable to the fact these primitives are out there and in public –> attackers can decrypt secrets faster
- since the programmers who copypaste the code don’t know any better it often takes a lot of efforts for them (or their successors) to fix these issues
The main topic of this post is the item #2 on the above list:
– crypto primitives re-use.
After poking around en masse in a large number of ‘good; samples I discovered that many of these samples re-use the AES crypto routines that rely on the following two primitives:
- IV: “OFRna73m*aze01xY”
- Salt: “Kosher”
This is not a coincidence – you can find code instances that refer to this combo here. Programmers don’t know what to change in this code and they just embed it as it is. Bad and pretty big mistake.
There are many more examples like this and I may list them some time in the future.