Share
## https://sploitus.com/exploit?id=7BF97C3E-0EBE-5120-9CCD-54602646E69D
### libgcrypt p256 signature malleability proof-of-concept exploit via malformed DER-encoded signatures

This PoC targets libgcrypt's compliance failure with ITU-T X.690, which enforces integers be two's complement. A positive integer with a high bit set will require a leading 0x00 to avoid being interpreted as negative. libgcrypt currently (1.11.2) accepts signatures missing this byte. Test vector taken from [Wycheproof](https://github.com/C2SP/wycheproof/blob/fca0d3ba9f1286c3af57801ace39c633e29a88f1/testvectors_v1/ecdsa_secp256k1_sha256_test.json#L207). 

Fun fact: this is the exact exploit vector that appeared in Bitcoin's P256 curve implementation in 2010, enabling full transaction malleability and causing the collapse of the [Mt. Gox Cryptocurrency exchange](https://en.wikipedia.org/wiki/Mt._Gox).