Exploiting the Windows CryptoAPI Vulnerability

栏目: IT技术 · 发布时间: 4年前

内容简介:On Tuesday, the NSA announced they had found aAt a high level, this vulnerability takes advantage of the fact that Crypt32.dll fails to properly check that the elliptic curve parameters specified in a provided root certificate match those known to Microsof

On Tuesday, the NSA announced they had found a critical vulnerability in the certificate validation functionality on Windows 10 and Windows Server 2016/2019. This bug allows attackers to break the validation of trust in a wide variety of contexts, such as HTTPS and code signing. If you want to stop reading here, get the important details, and see if you’re vulnerable, check out  https://whosecurve.com/. Once you’ve done that, come back to this tab and keep reading for an explainer of exactly what this bug is and how it works.

Exploiting the Windows CryptoAPI Vulnerability

Why even patch if it doesn’t have a logo? https://whosecurve.com

At a high level, this vulnerability takes advantage of the fact that Crypt32.dll fails to properly check that the elliptic curve parameters specified in a provided root certificate match those known to Microsoft. Interestingly, the vulnerability doesn’t exploit any mathematical properties unique to elliptic curves – the same exact bug could have manifested itself in a normal DSA signature verification library. Therefore, to avoid getting into the weeds of elliptic curve cryptography, let’s first go over how this bug would have worked if Crypto32.dll used normal DSA.

A toy version of the attack

Recall that the security of DSA relies on the fact that the discrete log problem is hard when dealing with the group of integers mod a prime. In other words, if we have the following equation:

b = g x mod p

It’s hard to find x if all you know is p , g , and b . To set up DSA, users need to specify a prime p and a generator g . Using these two parameters, they can then create a private key x and public key pk = g x mod p . These keys allow for signatures that can only be created by the private key, but can be verified with the public key. Signature forgery is as hard as the discrete log problem (very hard).

Digital signatures algorithms such as DSA aren’t very useful on their own, though, since they do not provide a mechanism by which users can trust a given public key is associated with a specific entity. This is where X.509 certificates come into play. An X.509 cert is basically a file that explicitly says “this public key belongs to this person,” signed by someone else (possibly the owner of the public key in question). These certificates can be chained together, starting at a “root” certificate, attesting to the identity of a root certificate authority (CA). The root CA signs intermediate certificates attesting the identity of intermediate CAs, the intermediate CAs sign other intermediate certificates, and so on down to the “leaf” certificate at the end.

Each certificate contains information about the signature algorithm and parameters used. An example Microsoft certificate might look something like the following (N.B.: this is heavily simplified):

  • Certificate authority: Microsoft
  • Name: Trail of Bits
  • Public key info
    • Algorithm: DSA
    • Generator:  g
    • Prime:  p
    • Public key:  pk

When Windows users receive a X.509 certificate chain, they check to make sure the CA at its root is one that Microsoft trusts. But what happens if Windows only checks to make sure the public key of the certificate in question matches a trusted entity, not the associated system parameters? In other words, what happens when an attacker can change the value of p or g associated with a given public key pk without Windows noticing? It turns out omitting this check completely breaks the security of DSA.

One potential way to exploit this vulnerability is to simply set g = p and have the private key be x = 1 . This allows the attacker to sign any message as if they were the legitimate owner of  pk , since they know now the private key (it’s 1). Things can get even more interesting, though. Instead of simply setting the new generator to the target’s public key, we choose a new private key  y and set the malicious generator to be g’ = y 1 * pk . This means the certificate still has what is effectively a secret key, but it is known only to the attacker, not the original issuer.

Importantly, this attack works without anyone being able to solve the discrete log problem, it really just boils down to the fact that not establishing the authenticity of parameters associated with a given public key lets the attacker choose any private key they want. This exploit scenario was originally outlined in 2004 by Vaudenay , referred to as a domain parameter shifting attack, but wasn’t seen in the wild until now.

The actual vulnerability

Exploiting the vulnerability in Crypt32.dll involves adapting the previous attack to the case where instead of DSA, the signer is using the elliptic curve variant ECDSA. In fact, you don’t really need to know much about elliptic curves at all to understand how this works – the only relevant details are that elliptic curves are more or less mathematically equivalent to the integers mod p, except instead of multiplying numbers, you geometrically manipulate points lying on a curve. In this post, curve points are bold upper case letters and adding a point P to itself n times is written n * P

Exploiting the Windows CryptoAPI Vulnerability

Fig 1. The diagram you’ve seen a million times showing elliptic curve addition

Elliptic curves, along with point addition, create another structure where the discrete log problem is hard. Also similar to the normal DSA case, ECDSA requires choosing a set of public parameters before generating a private/public key-pair, including a generator. Usually these parameters specified by naming a curve, such as Elliptic Curve secp256r1 (1.2.840.10045.3.1.7), but users can alternatively manually specify them. In that case, users must supply constants that define the elliptic curve (A,B) , the prime over which arithmetic is done p , the generator of the group  G , and information about that group’s size (order, cofactor). For the purposes of this attack we only really care about  G .

Now that we have some background on elliptic curves, it’s not hard to see that the attack works basically the same as with DSA – change the parameters specifying ECDSA to have a generator corresponding to a private key you know but with the same public key as the certificate authority you’re trying to spoof. By editing the parameters, we can control the effective secret key for the certificate, and use it to attest to whatever identities we’d like.

In real life, the parameter validation bypass is also slightly more involved. Microsoft does check that the parameters used in most certificates are valid, but when it is presented a root certificate it has cached, it will skip parameter validation if the certificate uses elliptic curve cryptography and the public key matches what’s cached. This means that for common root CAs, which most users will have seen at some point before, our attack is viable. In practice, this means we can generate valid TLS certificates for almost any website, bypass code signing restrictions, or forge signatures for files and emails. For explanatory purposes, let’s look at how we might man-in-the-middle https traffic to some website.

Building a fake certificate

First we need to pick a trusted root certificate. Microsoft maintains a list here . For our purposes, let’s pick the Microsoft EV ECC Root Certificate Authority 2017. This is a secp384r1 cert, so the public key is a point on the curve defined by the parameters given by the secp384r1 curve.

Exploiting the Windows CryptoAPI Vulnerability

Fig 2. A trusted certificate with public key

Next we need to generate a new private key for our malicious certificate, defined over a different curve, using explicit parameters. This object has a specific ASN.1 key encoding, which we generate with OpenSSL. Remember from the previous section, we want to hold the public key the same to bypass validation. Once we have the public and private key for our new certificate, we can use these to calculate a generator such that they correspond. More precisely, we need to calculate G’ = x -1 * P where x is our private scalar and P is the public key point from the MS certificate (this corresponds to the second attack scenario in the previous section).

Now that we have a new mutated key, we can use this to generate a CA certificate:

Exploiting the Windows CryptoAPI Vulnerability

Fig 3: A parsed view of our bad root

Once we’ve generated that certificate we can use it to sign a leaf certificate for whatever we want. This key/cert is just signed by the “bad” root — it doesn’t need custom parameters or any magic.

Exploiting the Windows CryptoAPI Vulnerability

Fig 4: A cert for whosecurve.com

Now the final step is to ensure that we send the “full chain” as part of a TLS connection. In normal TLS you send the leaf certificate along with any intermediates, but you don’t send the root itself. In this case we need to send that root to trigger the cache bug. Voila!

Exploiting the Windows CryptoAPI Vulnerability

Fig 5. Not a real TLS certificate

Fixing the vulnerability and lessons learned

Fortunately for Microsoft, fixing this bug simply required adding a couple of checks during signature verification to make sure ECDSA parameters are authentic. Unfortunately for everyone else, this vulnerability is absolutely devastating and requires all systems running Windows 10 to be patched immediately. Until it is, attackers can forge signatures for TLS, code, files, or email.

Cryptographically, this bug is a great example of how increasing the number of parameter choices increases system fragility. We’ve known for years that explicitly specified curves (as opposed to named curves) were a bad idea, and this is yet another piece of evidence to that point. It also is a great reminder that all cryptographic information needs to be verified when handling digital signatures.

While we have not provided a PoC for this we strongly encourage people to patch as public exploit code has become available today! We have, however, put up a website demonstrating the flaw for anyone interested in checking to see if they have an unpatched system: go find out Whose Curve Is It Anyway?

References:

*** This is a Security Bloggers Network syndicated blog from Trail of Bits Blog authored byBen Perez. Read the original post at: https://blog.trailofbits.com/2020/01/16/exploiting-the-windows-cryptoapi-vulnerability/


以上所述就是小编给大家介绍的《Exploiting the Windows CryptoAPI Vulnerability》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

颠覆暴利

颠覆暴利

曾德超、张志前 / 2015-4-1 / 58

本书从金融人士的视角研究互联网时代的金融创新,全面系统地介绍了我国互联网金融的产生背景及原因,梳理了互联网金融的基本理论,分析了互联网金融的各种业态和运营模式,介绍了互联网企业和金融企业的应对策略。本书还对互联网金融存在的风险和监管进行了研究,对互联网金融未来的发展前景进行了展望。本书是学习研究互联网金融不可多得的一本参考书。一起来看看 《颠覆暴利》 这本书的介绍吧!

JSON 在线解析
JSON 在线解析

在线 JSON 格式化工具

RGB转16进制工具
RGB转16进制工具

RGB HEX 互转工具

随机密码生成器
随机密码生成器

多种字符组合密码