Windows: PoC for CryptoAPI Bug CVE-2020-0601 are out

[German]The CyptoAPI vulnerability CVE-2020-0601 in Windows has several proof of concept exploits and is likely to be actively attacked soon. Chrome introduces a check in the browser and there is a test page for this vulnerability.

What is CVE-2020-0601

As a reminder, there is a spoofing vulnerability CVE-2020-0601 in the Crypt32.dll library (CryptoAPI) that could be exploited by an attacker. An attacker could use a spoofed code-signing certificate to sign a malicious executable file without Windows knowing about it.

A successful exploit could also allow the attacker to perform man-in-the-middle attacks and decrypt confidential information about user connections to the affected software. I had a blog post Windows: Is a critical cryptography patch coming today? about that. Microsoft also published this blog post on 1-14-2020.

Microsoft states that Windows 10, Windows Server 2016 and 2019 are affected and has provided cumulative updates to close the vulnerability (see CVE-2020-0601 and my blog post Patchday Windows 10-Updates (December 10, 2019)).

Proof of Concept Exploits are public

The recently discovered vulnerability in Windows, CVE-2020-0601, is of course a natural target for cyber criminals. They could break encrypted HTTPS connections through man-in-the-middle attacks and read the information. In the meantime, security researchers have developed and partially published proof of concept (PoC) code examples that exploit this vulnerability.

• Security expert Saleem Rashid has created a proof of concept code to spoof TLS certificates. This makes it possible to set up a fake website that looks like a website secured by legitimate certificates. Rashid has not released the exploit code to prevent bad guys from using it in the wild.
• Swiss cyber security company Kudelski Security has released a working exploit for the vulnerability on GitHub.
• Danish security researcher Ollypwn also released an exploit for the CurveBall vulnerability.

The site securityaffairs.co reports in this article about this exploit of the security researchers. Also Bleeping Computer has also covered the issue in this article. It's recommended that administrators patch Windows systems immediately. 

A test page for the crypto vulnerability

Through a tweet from security researcher Kevin Beaumont I came across an interesting website. 

It doesn't work at all on Firefox, even if using vulnerable OS, as they validate certificate correctly. The Chrome team could add extra validation for this btw, for people who don't patch.

— Kevin Beaumont (@GossiTheDog) January 16, 2020

If you visit the website chainoffools.wouaib.ch, you should receive the certificate error shown in the tweet or below as a warning.

If the above warning does not appear, the system should be patched because the fake certificate of the test page is apparently not recognized. With Firefox, however, the test is useless because the browser performs a separate validation internally. Thus the certificate warning appears, although the CryptoAPI error may be unpatched.

I have tested it on Windows 10 in Edge. There the warning is displayed, but the system was also patched. However, the display with the warning also appeared when the system was unpatched. So I'm not sure how accurate the test really is. You may want to test it and report here.

Chrome gets check for CryptoAPI errors

In the responses to the above tweet, Kevin Beaumont points out that the Chrome browser may get a check for the Crypto API vulnerability.

Google Chrome Adds Protection for NSA's Windows CryptoAPI Flaw – by @LawrenceAbramshttps://t.co/kRx7h24E1E

— BleepingComputer (@BleepinComputer) January 16, 2020

Then I came across the above tweet from Bleeping Computer. Google has just released Chrome 79.0.3945.130, which now detects certificates attempting to exploit the CVE-2020-0601 CryptoAPI Windows vulnerability discovered by the NSA.