Cryptographic API Misuse Vulnerability #2337
Comments
|
These vulnerabilities are in Adobe, Amazon, Kobo, and B&N's encryption which this plugin decrypts. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description:
In the "DeDRM_tools/DeDRM_plugin/adobekey.py", "DeDRM_tools/DeDRM_plugin/androidkindlekey.py", "DeDRM_tools/DeDRM_plugin/ignobleepub.py" and "DeDRM_tools/DeDRM_plugin/ignoblepdf.py" etc.. I have identified security vulnerabilities about insecure cryptographic algorithm.
ECB mode encryption is not semantically secure, which means it might cause information leakage.
PKCS1v1.5 is vulnerable to the chosen-ciphertext attack.
AES-CBC with fixed or hardcode IV is vulnerable to the chosen-ciphertext attack.
DES and RC4 is disallowed or for legacy use only.
Location:
https://github.com/apprenticeharper/DeDRM_tools/blob/master/DeDRM_plugin/adobekey.py#L165
https://github.com/apprenticeharper/DeDRM_tools/blob/master/DeDRM_plugin/androidkindlekey.py#L148
https://github.com/apprenticeharper/DeDRM_tools/blob/master/DeDRM_plugin/ignobleepub.py#L168
https://github.com/apprenticeharper/DeDRM_tools/blob/master/DeDRM_plugin/ignoblepdf.py#L203
https://github.com/apprenticeharper/DeDRM_tools/blob/master/DeDRM_plugin/ineptepub.py#L298
https://github.com/apprenticeharper/DeDRM_tools/blob/master/DeDRM_plugin/ineptepub.py#L317
https://github.com/apprenticeharper/DeDRM_tools/blob/master/DeDRM_plugin/ineptpdf.py#L357
https://github.com/apprenticeharper/DeDRM_tools/blob/master/DeDRM_plugin/ineptpdf.py#L390
https://github.com/apprenticeharper/DeDRM_tools/blob/master/Obok_plugin/obok/obok.py#L255
https://github.com/apprenticeharper/DeDRM_tools/blob/master/Other_Tools/Kobo/obok.py#L249
Reference
Recommendate
Generate IV with cryptographic secure PRNG.
Use other cipher mode such as CFB or CTR with random IV.
Generate IV with cryptographic secure PRNG.
The text was updated successfully, but these errors were encountered: