关联漏洞
标题:Microsoft Windows CryptoAPI 信任管理问题漏洞 (CVE-2020-0601)Description:Microsoft Windows CryptoAPI是美国微软(Microsoft)公司的一个在Windows 操作系统中添加的密码编译机能。作为资料加密与解密功能的重要基础,CryptoAPI 支持同步,异步的密钥加密处理,以及操作系统中的数字证书 的管理工作。 Microsoft Windows CryptoAPI (Crypt32.dll)中验证椭圆曲线加密(ECC)证书的方法存在信任管理问题漏洞。攻击者可通过使用欺骗性的代码签名证书利用该漏洞签名恶意的可执行文件。以下产品及版本受到影响:Micr
Description
CVE-2020-0601: Windows CryptoAPI Vulnerability. (CurveBall/ChainOfFools)
介绍
# CurveBall ([CVE-2020-0601](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601)) - PoC
CVE-2020-0601: Also known as CurveBall or ChainOffFools, is a vulnerability in the Microsoft CryptoApi (specificly in Crypt32.dll) where elliptic curve signatures (ECDSA) of certificates is not correctly verified.
There is a very nice blog post [here](https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/) which explains the issue very neatly.
*This should only be used for educational and researching purposes!*
## How to
Provide the console application with the path to an elliptic curve certificate.
```
CurveBall.exe 'PathToCA.cer'
```
The program will output a .p12 file contaning a certificate with the same public key and serial number as the original, including a key.
The key and cert can be extracted from the .p12 by using openssl with the following commands
```
openssl pkcs12 -in Rogue.p12 -nocerts -out CA.key
```
and
```
openssl pkcs12 -in Rogue.p12 -clcerts -nokeys -out CA.cer
```
NOTE: Default password is 'Test1234'.
文件快照
[4.0K] /data/pocs/8ca8bbb583cc7cce5747d6a6dc4b3b9568818e25
├── [4.0K] CurveBall
│ ├── [ 282] CurveBall.csproj
│ ├── [4.0K] Extensions
│ │ └── [ 847] X509CertificateExtensions.cs
│ └── [4.3K] Program.cs
├── [ 782] CurveBall.sln
├── [ 11K] LICENSE
└── [1.1K] README.md
2 directories, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。