Curated list of CVE-2020-0601 resources# ChainOfFools AKA CurveBall AKA CVE-2020-0601
Collection of CVE-2020-0601 (\#ChainOfFools | \#CurveBall) resources
## General
A summary from the [NSA advisory](https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF) states.
> NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include:
> - HTTPS connections
> - Signed files and emails
> - Signed executable code launched as user-mode processes
## Blogs and Explanations
Walkthough and PoC demo from Kudelski Security
- https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/
In depth blog from [Ken Whyte](https://twitter.com/kennwhite)
- https://blog.lessonslearned.org/chain-of-fools/
Hacker News discussion
- https://news.ycombinator.com/item?id=22048619
[Tal Be'ery](https://twitter.com/TalBeerySec) commentary
- https://medium.com/zengo/win10-crypto-vulnerability-cheating-in-elliptic-curve-billiards-2-69b45f2dcab6
## Proof of Concepts
Kudelski Securitry python PoC
- https://github.com/kudelskisecurity/chainoffools
[Ollypwn](https://twitter.com/ollypwn) ruby PoC
- https://github.com/ollypwn/cve-2020-0601
Example fake github cert for MitM or phishing
- https://twitter.com/saleemrash1d/status/1217495681230954506
Example signed malware reducing AV detections
- https://twitter.com/RedDrip7/status/1217771072180801537
## Detections
3rd CurveBall blog from [Tal Be'ery](https://twitter.com/TalBeerySec) describing Wireshark network detections
- https://medium.com/zengo/hitting-a-curveball-like-a-pro-129c1dca427c
Microsoft have released an event log message when suspected exploitation is attempted via the CveEventWrite function
- https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-cveeventwrite
[Matt Graeber](https://twitter.com/mattifestation/status/1217179698008068096) has produced a powershell oneliner for host EDR detection
```
Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName = 'Microsoft-Windows-Audit-CVE' } | select -Property * -ExcludeProperty MachineName, UserId
```
A Sigma SIEM rule from [Florian Roth](https://twitter.com/cyb3rops/status/1217545671424847874) for us in multiple SIEM tools and based off the Microsoft event log
A detection by [0xxon](https://twitter.com/0xxon) for Zeekurity network morning tool to alert when custom ECC generators are observed within certificates
- https://twitter.com/0xxon/status/1217288808443441152
- https://github.com/0xxon/cve-2020-0601
## Advisories
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
- https://www.cisecurity.org/advisory/a-vulnerability-in-the-microsoft-cryptographic-library-crypt32dll-could-allow-for-remote-code-execution_2020-005/
- https://www.us-cert.gov/ncas/alerts/aa20-014a
- https://www.cisa.gov/blog/2020/01/14/windows-vulnerabilities-require-immediate-attention
- https://kb.cert.org/vuls/id/849224/
- https://cyber.dhs.gov/ed/20-02/
- https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
[4.0K] /data/pocs/65e0edf5a022a2cf9f96a9aecf063c472a728468
├── [1.0K] LICENSE
└── [3.7K] README.md
0 directories, 2 files