Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-0601 PoC — Microsoft Windows CryptoAPI 信任管理问题漏洞

Source
https://github.com/Hans-MartinHannibalLauridsen/CurveBall
Associated Vulnerability
Title:Microsoft Windows CryptoAPI 信任管理问题漏洞 (CVE-2020-0601)
Description:A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
Description
CVE-2020-0601: Windows CryptoAPI Vulnerability. (CurveBall/ChainOfFools)
Readme
# CurveBall ([CVE-2020-0601](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601)) - PoC
CVE-2020-0601: Also known as CurveBall or ChainOffFools, is a vulnerability in the Microsoft CryptoApi (specificly in Crypt32.dll) where elliptic curve signatures (ECDSA) of certificates is not correctly verified. 

There is a very nice blog post [here](https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/) which explains the issue very neatly.

*This should only be used for educational and researching purposes!*

## How to

Provide the console application with the path to an elliptic curve certificate.
```
CurveBall.exe 'PathToCA.cer'
```
The program will output a .p12 file contaning a certificate with the same public key and serial number as the original, including a key.

The key and cert can be extracted from the .p12 by using openssl with the following commands
```
openssl pkcs12 -in Rogue.p12 -nocerts -out CA.key
```
and 
```
openssl pkcs12 -in Rogue.p12 -clcerts -nokeys -out CA.cer
```
NOTE: Default password is 'Test1234'.
File Snapshot

 [4.0K]  /data/pocs/8ca8bbb583cc7cce5747d6a6dc4b3b9568818e25
├── [4.0K]  CurveBall
│   ├── [ 282]  CurveBall.csproj
│   ├── [4.0K]  Extensions
│   │   └── [ 847]  X509CertificateExtensions.cs
│   └── [4.3K]  Program.cs
├── [ 782]  CurveBall.sln
├── [ 11K]  LICENSE
└── [1.1K]  README.md

2 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →