Lowmakoto

**Name of the Vulnerable Software and Affected Versions** Ethereum Name Service (ENS) versions 1.6.2 and prior **Description** The `RSASHA256Algorithm` and `RSASHA1Algorithm` contracts do not properly validate PKCS#1 v1.5 padding when verifying RSA signatures. The contracts only verify the final 32 or 20 bytes of the decrypted signature against the expected hash. This allows for a Bleichenbacher's 2006 signature forgery attack against DNS zones utilizing RSA keys with a low public exponent (e=3). Two TLDs supported by ENS, .cc and .name, use e=3 for their Key Signing Keys, potentially allowing fraudulent claims of domains under these TLDs on ENS without actual DNS ownership. The vulnerable contracts include `RSASHA256Algorithm` at address `0x9D1B5a639597f558bC37Cf81813724076c5C1e96`, `RSASHA1Algorithm` at address `0x6ca8624Bc207F043D140125486De0f7E624e37A1`, `DNSSECImpl` at address `0x0fc3152971714E5ed7723FAFa650F86A4BaF30C5`, and `DNSRegistrar` at address `0xB32cB5677a7C971689228EC835800432B339bA2B`. **Recommendations** Versions prior to 1.6.2 should deploy the patched contracts. Point the `DNSSECImpl.setAlgorithm` function to the deployed, patched contract.