CurveBall (CVE-2020-0601) - PoC
CVE-2020-0601: Also known as CurveBall or ChainOffFools, is a vulnerability in the Microsoft CryptoApi (specificly in Crypt32.dll) where elliptic curve signatures (ECDSA) of certificates is not correctly verified.
There is a very nice blog post here which explains the issue very neatly.
This should only be used for educational and researching purposes!
Provide the console application with the path to an elliptic curve certificate.
CurveBall.exe 'PathToCA.cer'
The program will output a .p12 file contaning a certificate with the same public key and serial number as the original, including a key.
The key and cert can be extracted from the .p12 by using openssl with the following commands
openssl pkcs12 -in Rogue.p12 -nocerts -out CA.key
and
openssl pkcs12 -in Rogue.p12 -clcerts -nokeys -out CA.cer
NOTE: Default password is 'Test1234'.