Chain of Fools Curve Ball

Having been asked to look into CVE-2020-0601 for work, I thought I'd share what I learned.

What is it?

It is a flaw in the way Microsoft was validating Elliptic Curve Cryptography (ECC) certificates. This flaw affected all ECC certificates, including Microsofts own ECC MicrosoftECCProductRootCertificateAuthority.cer.

Why this is a problem.

This flaw easily allows a bad actor to forge a valid ECC certificate, allowing the bad actor to sigh things such as executables and create SSL/TLS certificates. Braking the certificates trust, meaning one can no longer trust the validation of a document, executable, or website. This also allows a bad actor to decrypt sensitive data.

Who is affected?

This flaw only affects newer versions of Microsoft Windows machines. Including Windows 8.1, Windows 10, Windows Server 2016, and Windows Server 2019. Windows 7 and below are not affected by this.

How to fix this vulnerability

To fix this vulnerability, apply Windows Updates, or a patch for your system can also be found here. However, before we patch, let's see this vulnerability in action.

Verify

Like all good science, we want to verify the patch independently.

To test that the patch has been successfully installed run

(get-winevent -listprovider Microsoft-Windows-Audit-CVE).events

You should see the following

Id          : 1
Version     : 0
LogLink     : System.Diagnostics.Eventing.Reader.EventLogLink
Level       : System.Diagnostics.Eventing.Reader.EventLevel
Opcode      : System.Diagnostics.Eventing.Reader.EventOpcode
Task        : System.Diagnostics.Eventing.Reader.EventTask
Keywords    : {}
Template    : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
                <data name="CVEID" inType="win:UnicodeString" outType="xs:string"/>
                <data name="AdditionalDetails" inType="win:UnicodeString" outType="xs:string"/>
              </template>

Description : Possible detection of CVE: %1
              Additional Information: %2

              This Event is generated when an attempt to exploit a known vulnerability (%1) is detected.
              This Event is raised by a User mode process.


Id          : 2
Version     : 0
LogLink     : System.Diagnostics.Eventing.Reader.EventLogLink
Level       : System.Diagnostics.Eventing.Reader.EventLevel
Opcode      : System.Diagnostics.Eventing.Reader.EventOpcode
Task        : System.Diagnostics.Eventing.Reader.EventTask
Keywords    : {}
Template    : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
                <data name="CVEID" inType="win:UnicodeString" outType="xs:string"/>
                <data name="AdditionalDetails" inType="win:UnicodeString" outType="xs:string"/>
              </template>

Description : Possible detection of CVE: %1
              Additional Information: %2

              This Event is generated when an attempt to exploit a known vulnerability (%1) is detected.
              This Event is raised by a kernel mode driver.

Now that you're system had been patched if a forged ECC certificate is used you will see an event show up in Windows Logs/Application.

Open Event Viewer with

eventvwr.exe

In Windows Logs folder double click on Application.

You should see an event appear in Event Viewer that looks like the following

<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<Events>
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
        <System>
            <Provider Name="Microsoft-Windows-Audit-CVE" Guid="{85a62a0d-7e17-485f-9d4f-749a287193a6}" />
            <EventID>1</EventID>
            <Version>0</Version>
            <Level>3</Level>
            <Task>0</Task>
            <Opcode>0</Opcode>
            <Keywords>0x8000000000000000</Keywords>
            <TimeCreated SystemTime="2020-01-20T20:36:32.447818800Z" />
            <EventRecordID>8068</EventRecordID>
            <Correlation />
            <Execution ProcessID="2804" ThreadID="1824" />
            <Channel>Application</Channel>
            <Computer>DESKTOP-PQ0620D</Computer>
            <Security UserID="S-1-5-21-888255177-1018887469-42971076-1000" />
        </System>
        <EventData>
            <Data Name="CVEID">[CVE-2020-0601] cert validation</Data>
            <Data Name="AdditionalDetails">CA: &lt;USERTrust ECC Certification Authority&gt; sha1: C01B8463C8619676BA102EEBF0C30CDCED9A942B para: 06052B81040022 otherPara: 30820157020101303C06072A8648CE3D0101023100FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF307B0430FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC0430B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF031500A335926AA319A27A1D00896A6773A4827ACDAC73046104D6EB7932E25502AE5151A3609384C13041904BE25B912B77FE4333C0B1486FB0CD815522FF79F8E85A9045E8DFDA490E706BD2FC38276D0A998962A1DFA1E0361AE82AEFC24BDECD9BD856CDC2FDADB54DEEFF6ACDFC0B2BF5ABEBB21C5705D4023100FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973020101</Data>
        </EventData>
    </Event>
</Events>

I have created my own PoC to assist in testing. It uses the MicrosoftECCProductRootCertificateAuthority.cer to forge SSL certificates and key. There is also a Python server and client to assist in testing. It can be found at https://github.com/YojimboSecurity/chainoffools.