{"id":12644,"date":"2020-01-17T00:21:48","date_gmt":"2020-01-16T23:21:48","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=12644"},"modified":"2023-08-25T22:56:54","modified_gmt":"2023-08-25T20:56:54","slug":"windows-poc-for-cryptoapi-bug-cve-2020-0601-are-out","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/01\/17\/windows-poc-for-cryptoapi-bug-cve-2020-0601-are-out\/","title":{"rendered":"Windows: PoC for CryptoAPI Bug CVE-2020-0601 are out"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/01\/17\/windows-neues-zur-nsa-schwachstelle-cve-2020-0601\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]The CyptoAPI vulnerability <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2020-0601\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0601<\/a> in Windows has several proof of concept exploits and is likely to be actively attacked soon. Chrome introduces a check in the browser and there is a test page for this vulnerability. <\/p>\n<p><!--more--><\/p>\n<h2>What is CVE-2020-0601 <\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg07.met.vgwort.de\/na\/7df20c2ee2e84818a1fbccdc2f98bd99\" width=\"1\" height=\"1\">As a reminder, there is a spoofing vulnerability <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2020-0601\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0601<\/a> in the Crypt32.dll library (CryptoAPI) that could be exploited by an attacker. An attacker could use a spoofed code-signing certificate to sign a malicious executable file without Windows knowing about it.<\/p>\n<p>A successful exploit could also allow the attacker to perform man-in-the-middle attacks and decrypt confidential information about user connections to the affected software. I had a blog post <a href=\"https:\/\/borncity.com\/win\/2020\/01\/14\/windows-kommt-heute-ein-kritischer-kryptografie-patch\/\">Windows: Is a critical cryptography patch coming today?<\/a> about that. Microsoft also published <a href=\"https:\/\/web.archive.org\/web\/20230208234929\/https:\/\/msrc-blog.microsoft.com\/2020\/01\/14\/january-2020-security-updates:-cve-2020-0601\/\" target=\"_blank\" rel=\"noopener noreferrer\">this blog post<\/a> on 1-14-2020.<\/p>\n<p>Microsoft states that Windows 10, Windows Server 2016 and 2019 are affected and has provided cumulative updates to close the vulnerability (see <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2020-0601\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0601<\/a> and my blog post <a href=\"https:\/\/borncity.com\/win\/2019\/12\/11\/patchday-windows-10-updates-december-10-2019\/\">Patchday Windows 10-Updates (December 10, 2019)<\/a>). <\/p>\n<h2>Proof of Concept Exploits are public<\/h2>\n<p>The recently discovered vulnerability in Windows, <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2020-0601\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0601<\/a>, is of course a natural target for cyber criminals. They could break encrypted HTTPS connections through man-in-the-middle attacks and read the information. In the meantime, security researchers have developed and partially published proof of concept (PoC) code examples that exploit this vulnerability. <\/p>\n<ul>\n<li>Security expert Saleem Rashid has created a proof of concept code to spoof TLS certificates. This makes it possible to set up a fake website that looks like a website secured by legitimate certificates. Rashid has not released the exploit code to prevent bad guys from using it in the wild.\n<li>Swiss cyber security company Kudelski Security has released a working exploit for the vulnerability <a href=\"https:\/\/github.com\/kudelskisecurity\/chainoffools\" target=\"_blank\" rel=\"noopener noreferrer\">on GitHub<\/a>.\n<li>Danish security researcher Ollypwn also released an exploit for the CurveBall vulnerability.<\/li>\n<\/ul>\n<p>The site securityaffairs.co reports in <a href=\"https:\/\/securityaffairs.co\/wordpress\/96486\/uncategorized\/cve-2020-0601-nsacrypto-exploits.html\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a> about this exploit of the security researchers. Also Bleeping Computer has also covered the issue <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/pocs-for-windows-cryptoapi-bug-are-out-show-real-life-exploit-risks\/\" target=\"_blank\" rel=\"noopener noreferrer\">in this article<\/a>. It's recommended that administrators patch Windows systems immediately.&nbsp; <\/p>\n<h2>A test page for the crypto vulnerability<\/h2>\n<p>Through a tweet from security researcher Kevin Beaumont I came across an interesting website.&nbsp; <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">It doesn't work at all on Firefox, even if using vulnerable OS, as they validate certificate correctly. The Chrome team could add extra validation for this btw, for people who don't patch.<\/p>\n<p>\u2014 Kevin Beaumont (@GossiTheDog) <a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1217792922562826240?ref_src=twsrc%5Etfw\">January 16, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preservebb38b7adb81a47568f144a8c4a68495e\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>If you visit the website chainoffools.wouaib.ch, you should receive the certificate error shown in the tweet or below as a warning. <\/p>\n<p><img decoding=\"async\" title=\"chainoffools.wouaib.ch Zertifikate-Crypto-Test\" alt=\"chainoffools.wouaib.ch Zertifikate-Crypto-Test\" src=\"https:\/\/i.imgur.com\/KOJ55bS.jpg\"><\/p>\n<p>If the above warning does not appear, the system should be patched because the fake certificate of the test page is apparently not recognized. With Firefox, however, the test is useless because the browser performs a separate validation internally. Thus the certificate warning appears, although the CryptoAPI error may be unpatched. <\/p>\n<blockquote>\n<p>I have tested it on Windows 10 in Edge. There the warning is displayed, but the system was also patched. However, the display with the warning also appeared when the system was unpatched. So I'm not sure how accurate the test really is. You may want to test it and report here.<\/p>\n<\/blockquote>\n<h2>Chrome gets check for CryptoAPI errors <\/h2>\n<p>In the responses to the above tweet, Kevin Beaumont points out that the Chrome browser may get a check for the Crypto API vulnerability.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Google Chrome Adds Protection for NSA's Windows CryptoAPI Flaw &#8211; by <a href=\"https:\/\/twitter.com\/LawrenceAbrams?ref_src=twsrc%5Etfw\">@LawrenceAbrams<\/a><a href=\"https:\/\/t.co\/kRx7h24E1E\">https:\/\/t.co\/kRx7h24E1E<\/a><\/p>\n<p>\u2014 BleepingComputer (@BleepinComputer) <a href=\"https:\/\/twitter.com\/BleepinComputer\/status\/1217927179239067651?ref_src=twsrc%5Etfw\">January 16, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preservefa41401a66434babb380834337e36b82\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>Then I came across the above tweet from Bleeping Computer. Google has just released Chrome 79.0.3945.130, which now detects certificates attempting to exploit the CVE-2020-0601 CryptoAPI Windows vulnerability discovered by the NSA.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]The CyptoAPI vulnerability CVE-2020-0601 in Windows has several proof of concept exploits and is likely to be actively attacked soon. Chrome introduces a check in the browser and there is a test page for this vulnerability.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,194],"class_list":["post-12644","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12644","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=12644"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12644\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=12644"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=12644"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=12644"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}