Skip to content

Instantly share code, notes, and snippets.

@SwitHak
Last active February 9, 2024 14:42
  • Star 93 You must be signed in to star a gist
  • Fork 22 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save SwitHak/62fa7f8df378cae3a459670e3a18742d to your computer and use it in GitHub Desktop.
BlueTeam CheatSheet * CVE-2020-0601 * crypt32.dll | Last updated: 2020-01-21 1817 UTC

CVE-2020-0601 AKA ChainOfFools OR CurveBall

General

  • Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
  • The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference, followed by a blog post and an official security advisory.
  • The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.

Vulnerability explanation

  • NSA description:

  • NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality.

  • The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.

  • The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.

  • Examples where validation of trust may be impacted include:

    • HTTPS connections
    • Signed files and emails
    • Signed executable code launched as user-mode processes
  • The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors.

  • NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.

  • The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.

  • Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

  • If you really want to deep dive in the cryptographic part and understand better the root cause of this vulnerability, Tal Be'ery published today a very didactic explanation:

EXPLOIT

  • Publicly available: YES

    • PoC published the 2020-01-16 1208 AM GMT+1 (PoC1)

    • PoC published the 2020-01-16 1214 AM GMT+1 [PoC2]

      • Interesting nuggets: default serial number = 0x5c8b99c55a94c5d27156decd8980cc26, use NIST P-384 (secp384r1) curve, 500 days default expire date, configured to abuse USERTrust ECC Certification Authority, some others hardcoded information but could be changed easily, C = CH, ST = Vaud, L = Lausanne, O = Kudelski Security, CN = 85.184.255.36.
  • Privately available: YES (Around 10 private PoC)

  • In The Wild Exploitation: YES

REFERENCES

Affected Versions (Exhaustive list)

  • Windows 10 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 Version 1607 for 32-bit Systems
  • Windows 10 Version 1607 for x64-based Systems
  • Windows 10 Version 1709 for 32-bit Systems
  • Windows 10 Version 1709 for ARM64-based Systems
  • Windows 10 Version 1709 for x64-based Systems
  • Windows 10 Version 1803 for 32-bit Systems
  • Windows 10 Version 1803 for ARM64-based Systems
  • Windows 10 Version 1803 for x64-based Systems
  • Windows 10 Version 1809 for 32-bit Systems
  • Windows 10 Version 1809 for ARM64-based Systems
  • Windows 10 Version 1809 for x64-based Systems
  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1803 (Server Core Installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

How-To detect that

Vendors detections

Microsoft

Definitions
Azure Sentinel
Inside Windows logs
  • Matt Graeber gave a us a oneliner command to check quickly in the log if there's any evidence of an event linked to CVE-2020-0601 (Application/EID 1-2)
Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName = 'Microsoft-Windows-Audit-CVE' } | select -Property * -ExcludeProperty MachineName, UserId

Crowdstrike

CheckPoint

Tanium

Tehtris XDR

Google Chrome

TrendMicro

  • Deep Security and Vulnerability Protection
    • Rule 1010130 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
  • Apex One Vulnerability Protection (iVP)
    • Rule 1010130 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
  • TippingPoint Filter
    • 36956: HTTP: Microsoft Windows CryptoAPI Spoofing Vulnerability
  • Deep Security Log Inspection
    • Rule 1010129 - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
  • Deep Discovery Inspector (DDI)
    • Rule 3202 – CVE-2020-0601 Spoofed Certificate Attempt – TLS – Beta
  • Trend Micro Microsoft Windows CryptoAPI Spoofing Vulnerability Assessment Tool (SHA256: 11e6b2e96e4e10c00b137aa1c362ac6ac7e65751948bd1f4ef2e34312da8dac0)
  • TrendMicro BlogPost
  • TrendMicro CurveBall BlogPost
  • TrendMicro Security Alert

SOCPrime

Symantec

ZSCALER

SentinelOne

SNORT

  • 1:52593 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
  • 1:52594 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
  • 1:52595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
  • 1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)

McAfee

Fortinet

Kaspersky

  • Kaspersky security products blocked fake ssl forged certificates, I wasn't able to confirm for the PE or script.
  • Kaspersky BlogPost

Paloalto Networks (PAN)

Qualys

Tenable

Zeek / BRO IDS

Emerging Threats Pro:

  • 2840457 - ETPRO EXPLOIT Possible Spoofed ECDSA Certificate Inbound (CVE-2020-0601) M1 (exploit.rules)
  • 2840458 - ETPRO EXPLOIT Possible Spoofed ECDSA Certificate Inbound (CVE-2020-0601) M2 (exploit.rules)

Rapid7 - InsightVM

SIGMA RULE

Sophos

  • Offcial guidace: Update your system !

ESET

Website to check if your device is vulnerable

EMULATE CVE-2020-0601 exploitation attempt

DETECT

Detect the current version of "crypt32.dll"

Detect with PowerShell

[System.Diagnostics.FileVersionInfo]::GetVersionInfo("C:\Windows\System32\crypt32.dll").FileVersionRaw.ToString()

Check the file signatures and dates

On Windows 10 Clients
  • the new DLL is signed with the following timestamp "Friday 3 january 2020 06:14:45"
  • Windows 10, the new DLL has the following version "10.0.18362.592"
  • Windows 10, the new DLL has the following hashes:
    • CRC32: 2B82D538
    • CRC64: 14D5AADB0BD14B22
    • SHA256: E832E3A58B542E15A169B1545CE82451ACE19BD361FD81764383048528F9B540
    • SHA1: 7A9DD389B0E3C124D4BFE5C1FF15F9A93285514F
    • BLAKE2sp: EEE317CD4E1C395DD1DBCA3DCD066728FAE00250D6884EA63B9F6CAD83C14610
On Windows Server 2016 version 1607
  • the new DLL is signed with the following timestamp "Friday 20 december 2019 06:10:17"
  • the new DLL has the following version "10.0.14393.3442"
  • the new DLL has the following hashes:
    • CRC32: A3F4A8B6
    • CRC64: 190E000CED3B17BB
    • SHA256: 6AE927255B0576AF136DF57210A1BA64C42A504D50867F58B7A128B4FD26A77C
    • SHA1: EF881BAE1A18EC6017DDC9AC5076ED00730C6572
    • BLAKE2sp: 2EAAAE609B2A1D1353CD780BEDF30089C7F0399BC9288E197A04DF2C23FDC767
PowerShell & SCCM are your friends to gain a visibility in your networks

Detect with OSQUERY if your device is patched

  • You can detect devices patched with the following oneliner command:
SELECT * FROM patches WHERE HOTFIX_ID='KB4534273';

Detect with SPLUNK if your device is attacked by CVE-2020-0601

  • You can detect in your patched devices any try of exploitation with the following oneliner command:
sourcetype=WinEventLog EventCode=1 LogName=Application Message="*[CVE-2020-0601]*"

Parses the ASN.1-encoded ECC curve parameters from an Audit-CVE By Matt Graeber

Errors, typos, something to say ?

  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak
@matlink
Copy link

matlink commented Jan 17, 2020

Why the hell it is possible for a server to send a root certificate which is normally available client-side?

@bdeb1337
Copy link

Would be interested to look at the file handles of each process pulling the versions to see which exact canonical file paths are being loaded into memory when performing the version retrieval, as this might indicate another potential vector if the hotfixes aren't updating all copies of crypt32.dll.

Then again, I'm not a windows expert and I'm not doing any research on this particular vuln, so I might be talking out of my ass. However, the mismatch of versions is very troublesome, especially since it has been reproduced by another individual (for a total of at least 2).

I tried to trace it with procmon.exe (sysinternals) and it looks to me the commands pull the same file from the same path. So I believe FileVersion is not a reliable parameter to base a test on, but FileVersionRaw.Tostring() is.

ProcMon trace with the .FileVersion command:

image

ProcMon trace with the .FileVersionRaw.ToString() command:

image

@Jm56Z
Copy link

Jm56Z commented Jan 17, 2020

So, I finally got Windows to download and install the sole fix for this exploit (It really wanted to download some others updates I don't want, I prefer to check if they're stable before doing them).
The update size is 84 GB.
Thanks @kitkaat !

@flizzer
Copy link

flizzer commented Jan 18, 2020

Many thanks @SwitHak and @kitkaat! This Gist helped me greatly with patching today.

@SwitHak
Copy link
Author

SwitHak commented Jan 21, 2020

@SwitHak

Sure, here you go:

image
image

Kind regards.

Hi,
Sorry for the delay.
I chose finally your command, despite i wasn't unable to reproduce your output.
Regards,
SwitHak.

@Zs7Varga
Copy link

To determine number of devices received and installed the patch and how many still required to do so (only if you deployed the patch already from SCCM ) - you can use the following SQL or create a report in SSRS.
use cm_j01
/

SELECT

  • FROM CM_J01.INFORMATION_SCHEMA.TABLES
    WHERE TABLE_TYPE = 'VIEW' and TABLE_NAME like '%quick%'
    select * from v_gs_quick_fix_engineering where HotFixID0 in ('KB4528760',
    'KB4534271',
    'KB4534273',
    'KB4534276',
    'KB4534293',
    'KB4534306',
    'KB4528760')
    */

--
Select [Update],Sum([Installed]) 'Installed' ,sum([Not Installed]) 'Not Installed' from (
Select [update] , count([computer]) 'Installed',0 'Not Installed' from
(
SELECT DISTINCT
SYS.Name0 'Computer',
SYS.Operating_System_Name_and0 'OS',
UIN.Title 'Update',
CASE
WHEN UIN.Title LIKE '%KB4528760%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534271%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534273%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534276%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534293%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534306%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
ELSE 'No'
END 'KB Installed'

FROM v_R_System SYS
left JOIN v_UpdateComplianceStatus UCS ON SYS.ResourceID = UCS.ResourceID
left JOIN v_UpdateInfo UIN ON UCS.CI_ID = UIN.CI_ID

WHERE
(UIN.Title LIKE '%KB4528760%') OR
(UIN.Title LIKE '%KB4534271%') OR
(UIN.Title LIKE '%KB4534273%') OR
(UIN.Title LIKE '%KB4534276%') OR
(UIN.Title LIKE '%KB4534293%') OR
(UIN.Title LIKE '%KB4534306%')

) A
where [KB Installed]='Yes'
group by [update]
-- ORDER BY SYS.Name0
UNION
Select [update] , 0 'Installed' ,count([computer]) 'Not Installed' from
(
SELECT DISTINCT
SYS.Name0 'Computer',
SYS.Operating_System_Name_and0 'OS',
UIN.Title 'Update',
CASE
WHEN UIN.Title LIKE '%KB4528760%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534271%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534273%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534276%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534293%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
WHEN UIN.Title LIKE '%KB4534306%' and (UCS.status=1 or UCS.status=3) THEN 'Yes'
ELSE 'No'
END 'KB Installed'

FROM v_R_System SYS
left JOIN v_UpdateComplianceStatus UCS ON SYS.ResourceID = UCS.ResourceID
left JOIN v_UpdateInfo UIN ON UCS.CI_ID = UIN.CI_ID

WHERE
(UIN.Title LIKE '%KB4528760%') OR
(UIN.Title LIKE '%KB4534271%') OR
(UIN.Title LIKE '%KB4534273%') OR
(UIN.Title LIKE '%KB4534276%') OR
(UIN.Title LIKE '%KB4534293%') OR
(UIN.Title LIKE '%KB4534306%')

) A
where [KB Installed]='No'
group by [update]
) C group by [Update]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment