Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you a detailed analysis of how to carry out the CVE-2020-0601 loophole. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

0x00 vulnerability description

On January 15, 2020, Microsoft released a list of patch updates for January, including a vulnerability (CVE-2020-0601) related to certificate detection of CryptoAPI Elliptic Curve Cryptography (ECC), which was discovered by NSA and reported to Microsoft. An attacker can take advantage of this vulnerability to use a forged code signing certificate to sign a malicious executable file and attack it with this malicious file.

0x01 patch analysis

According to Microsoft's official introduction, the vulnerability lies in the crypt32.dll file. After the update of the patch file is downloaded from the official website, the new crypt32.dll is compared with the unupdated version as follows:

As you can see from the figure, the CertDllVerifyMicrosoftRootCertificateChainPolicy function has been changed. Check where the function is referenced:

As you can see from the figure, the CertDllVerifyMicrosoftRootCertificateChainPolicy function is called in two places in the function CertVerifyCertificateChainPolicy. Look at the code of CertVerifyCertificateChainPolicy:

As you can see from the code in the figure above, the function CertVerifyCertificateChainPolicy passes four parameters pszPolicyOID, pChainContext, pPolicyPara, and pPolicyStatus directly to CertDllVerifyMicrosoftRootCertificateChainPolicy without processing. Then look at the code for CertDllVerifyMicrosoftRootCertificateChainPolicy.

Note that there are many memory comparison codes such as memcmp (v16, & pbComputedHash, 0x20u) in the CertDllVerifyMicrosoftRootCertificateChainPolicy function, where v16 is the fixed data somewhere in crypt32.dll, pbComputedHash is the hash value calculated by the CryptHashCertificate2 function, and 0x20u refers to the compared memory length, which happens to be the fingerprint hash length of the ECC digital signature certificate, which can be seen by viewing the details of the ECC root certificate.

The value passed in by the CryptHashCertificate2 function is parsed from the parameters of CertDllVerifyMicrosoftRootCertificateChainPolicy and contains only public key information. It can be judged that although the function CertVerifyCertificateChainPolicy passes the parameters pszPolicyOID, pChainContext, pPolicyPara and pPolicyStatus to the CertDllVerifyMicrosoftRootCertificateChainPolicy function, the CertDllVerifyMicrosoftRootCertificateChainPolicy function only uses the public key information in it, which has the logic defect of incomplete parameter verification. As for why only verifying public key information will be bypassed by forged digital signatures, before introducing the principle of CVE-2020-0601 vulnerability, let's briefly introduce the lower elliptic curve digital signature algorithm (ECDSA).

0x02 Elliptic Curve Digital signature algorithm (ECDSA)

In 2009, FIPS 186 added a digital signature method based on elliptic curve cryptography, which is called elliptic curve digital signature algorithm (ECDSA). Because of the efficiency advantage of elliptic curve cryptography, ECDSA is more and more widely used.

The process of ECDSA algorithm is as follows:

All parties participating in the digital signature use the same global domain parameters to define elliptic curves and base points on curves.

The signer first needs to generate a pair of public and private keys. The signer can choose a random number as the private key and use the random number and the base point to calculate another solution point on the elliptic curve as the public key.

Calculate the hash value of the message to be signed. The signer uses the private key, global domain parameter, and hash value to generate the signature, including two integers r and s.

The verifier uses the signer's public key, global domain parameter, and integer s as input, calculates v and compares it with r. If the two are equal, the signature is approved.

Principle of 0x03 vulnerability

Usually, after generating a pair of public and private keys, the signer will go to the Certificate Authority (certificate authority, referred to as CA) to authenticate the public key to prove the identity of the signer. The Certificate Authority uses its own private key to sign the signer's public key and some related information to generate a digital certificate (DigitalCertificate). According to the patch analysis part, Microsoft supports the custom input of elliptic curve parameters and only verifies the public key information when verifying the digital signature legally, which has serious defects.

An attacker can pass in a custom global domain parameter and signature information s. As long as the public key information is consistent with the public key of the system ECC root certificate Microsoft ECC Product Root Certificate Authority 2018, the attacker can bypass the verification logic and make the digital signature information appear to be issued by the ECC root certificate. And this is very easy to do.

Assume that the private key of the ECC root certificate is d (unknown to the attacker), the base point is G, and the public key is Q=dG. The attacker can choose the same elliptic curve as the ECC root certificate, as long as diterpen1 (unit), GlobalQ, then Q'=d'G'=Q, to complete the attack.

0x04 vulnerability verification

Extract ECC root certificate public key information

Generate a forged ECC root certificate

Generate a certificate for signing the code and sign it with a forged ECC root certificate

Packaged digital signature certificate

Sign the executable file CVE20200601.exe

On the unpatched machine, the digital signature of the executable file CVE20200601.exe has been verified

After patching, the digital signature information of the executable file CVE20200601.exe cannot be verified.

The above is the detailed analysis of how to carry out the CVE-2020-0601 loophole shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.