Understanding PoC of Windows CRYPT32.DLL vulnerability (CVE-2020-0601)

Kudelski Security have put up an interesting explanation of what the actual CVE-2020-0601 vulnerability is and also how it can potentially be exploited.

After reading this, I understand the basics of what was wrong in Windows implementation and how the PoC is supposed to work. The site also has a PoC setup where they generate a certificate which is signed using a rouge private key for a known CA (generated by manipulating the parameter G and known public key of the CA).

I downloaded the generated certificate and used OpenSSL to view its details

$   openssl x509 -inform der -in cert.crt -text Certificate:     Data:         Version: 3 (0x2)         Serial Number:             13:96:a7:9a:d9:71:d8:47:c3:fe:89:b2:b7:b6:57:40:28:9b:38:01     Signature Algorithm: ecdsa-with-SHA256         Issuer: C=CH, ST=Vaud, L=Lausanne, O=Kudelski Security PoC, OU=Research Team, CN=github.com         Validity             Not Before: Jan 16 00:03:54 2018 GMT             Not After : Oct 12 00:03:54 2020 GMT         Subject: C=CH, ST=Vaud, L=Lausanne, O=Kudelski Security, CN=github.com         Subject Public Key Info:             Public Key Algorithm: id-ecPublicKey                 Public-Key: (256 bit)                 pub:                      04:c6:54:aa:2c:11:14:b6:f5:c4:39:ea:80:95:7b:                     2c:b3:76:b0:90:f5:17:ec:7d:d6:48:6e:cd:63:58:                     cb:80:71:6b:bc:97:f5:26:4d:d0:7f:7b:cf:cb:05:                     0c:24:f3:29:55:5d:52:1d:74:2d:89:78:d9:9d:91:                     96:12:c5:cb:be                 ASN1 OID: prime256v1                 NIST CURVE: P-256         X509v3 extensions:             X509v3 Subject Alternative Name:                  DNS:*.kudelskisecurity.com, DNS:*.microsoft.com, DNS:*.google.com, DNS:*.wouaib.ch     Signature Algorithm: ecdsa-with-SHA256          30:65:02:31:00:f9:1b:4a:7b:d5:01:4d:f4:e3:42:5a:17:8c:          45:6f:39:ce:fd:ec:38:04:f0:78:93:84:5d:db:9c:db:41:07:          a3:97:cf:f3:6d:f6:8b:7b:38:5b:95:4e:a7:1f:9e:4a:0e:02:          30:08:29:0e:f2:d8:9c:e3:e4:15:67:b7:22:f6:de:80:56:18:          01:a0:d8:3e:28:ec:6c:bf:2a:28:a2:8f:fb:8a:b7:1e:c7:8f:          25:36:22:cd:86:1d:bf:6d:fa:fd:0f:a0:6f -----BEGIN CERTIFICATE----- MIICTzCCAdWgAwIBAgIUE5anmtlx2EfD/omyt7ZXQCibOAEwCgYIKoZIzj0EAwIw fDELMAkGA1UEBhMCQ0gxDTALBgNVBAgMBFZhdWQxETAPBgNVBAcMCExhdXNhbm5l MR4wHAYDVQQKDBVLdWRlbHNraSBTZWN1cml0eSBQb0MxFjAUBgNVBAsMDVJlc2Vh cmNoIFRlYW0xEzARBgNVBAMMCmdpdGh1Yi5jb20wHhcNMTgwMTE2MDAwMzU0WhcN MjAxMDEyMDAwMzU0WjBgMQswCQYDVQQGEwJDSDENMAsGA1UECAwEVmF1ZDERMA8G A1UEBwwITGF1c2FubmUxGjAYBgNVBAoMEUt1ZGVsc2tpIFNlY3VyaXR5MRMwEQYD VQQDDApnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExlSqLBEU tvXEOeqAlXsss3awkPUX7H3WSG7NY1jLgHFrvJf1Jk3Qf3vPywUMJPMpVV1SHXQt iXjZnZGWEsXLvqNRME8wTQYDVR0RBEYwRIIWKi5rdWRlbHNraXNlY3VyaXR5LmNv bYIPKi5taWNyb3NvZnQuY29tggwqLmdvb2dsZS5jb22CCyoud291YWliLmNoMAoG CCqGSM49BAMCA2gAMGUCMQD5G0p71QFN9ONCWheMRW85zv3sOATweJOEXduc20EH o5fP8232i3s4W5VOpx+eSg4CMAgpDvLYnOPkFWe3IvbegFYYAaDYPijsbL8qKKKP +4q3HsePJTYizYYdv236/Q+gbw== -----END CERTIFICATE----- 

The certificate appears to be using a valid EC curve P-256. How can a person/process inspecting the certificate verify that it has indeed manipulated the EC parameters and is a fake?

Investigation of a Windows 10 Machine

I am currently developing an IRP that responds to system hacks.

I have attacked the Windows 10 myself (victim machine), using Metasploit on Kali Linux, where I managed to gain access via SSH port 22. From there I have modified file extensions, accessed personal folders etc on the victim machine.

As part of my IRP, is there any other useful places to look to prove an attack has taken place and files were accessed?? My IRP investigates (so far);

  • Windows Event Viewer (Application, System, Security log files)
  • OpenSSH log files

Any other recommendations would be very much appreciated.

[Hostpoco.com]-Affordable Windows Shared Hosting @ only $1.5 per month.

Hostpoco.com is a professional web hosting company which aims to provide the best quality web hosting experience for our customers.
Now Hostpoco come with new Windows Shared Hosting plan @ only $1.5 per month along with many features like
-Allows to build a dynamic website
-High server also maintains stable on windows server
-Unlimited Email Accounts
-Unlimited Web Space
-Unlimited Bandwidth
-Unlimited Sub Domains.

Windows is a solution designed by Microsoft and usually comes with a licensing cost. We also know the fact that most web applications being used today are Windows-based and hence this is the most recommended one.

Windows Shared Hosting Startup plan @ $1.5 per month:
~Single Domain Hosting
~1 MySQL Database
~1 MsSQL Databases(2005 / 2008)
~200MB MySQL/Ms Database Size
~Ms SQL Web Admin: My Little Admin
~ASP.NET 4.0, 3.5, 3.0, 2.0 & 1.1
~PHP 4.4.7 & PHP 5.2.13
~Unlimited Domain Aliases
~Unlimited FTP Accounts
~Unlimited Mailing List
~Email Autoresponders
~E-mail Forwarding
~Zend Optimizer
~Detailed Web Statistics
~Server Side Includes (SSI)
~ODBC Support
~Plesk Control Panel
~Frontpage Support
~Server Wide Virus Protection
~99.9% Uptime Guarantee
~Free Setup

For more details and plan:https://hostpoco.com/one-dollar-windows-shared-hosting.php

Thank you.

Does CVE-2020-0601 (CRYPT32.DLL critical exploit) affect Windows 7 and is there a patch to fix it?

I’m getting conflicting reports.

Search in Google: “windows 7” fix CVE-2020-0601

The top result (from PCWorld) claims that “contrary to earlier rumors, it does not affect Windows 7”.

Scrolling down finds a bunch of articles that claim it affects Windows 7 and newer.

Can anyone confirm if the exploit affects Windows 7, and if so is there going to be a patch available despite end of support?

(For reference: there have been a few cases of extremely bad vulnerabilities in Windows XP that got patched anyway over the years, which provides a good precedent for this to get patched in Windows 7 if applicable)

How to ensure Windows 10 is safe from critical security hole reported by NSA on 2020-01-14?

All over the news today (2020-01-14) is the story that the NSA and Microsoft have reported a critical security vulnerability in Windows 10.

But I haven’t been able to find clear instructions about how to ensure that Windows Update has worked properly.

When I click the Start button and then then type “winver” and click “Run command”, I see that I have Windows 10 Version 1803 (OS Build 17134.191)

Windows > Settings > “Update & Security” > “See what’s new in the latest update”, it bounces me to https://support.microsoft.com/en-us/help/4043948/windows-10-whats-new-in-recent-updates, which doesn’t seem to mention security at all.

The Windows Update feature itself seems flaky, confusing, and unreliable.

I’m the most tech-savvy in my large extended family, and I generally try to help others (especially older generations) keep their systems working well, but right now I’m struggling to find a set of steps I can walk them through to confirm that their systems are no longer vulnerable.

how to unencrypt a file in windows 10? [closed]

I had decided to encrypt a folder in my hard drive. This is what I did: 1- right clicked on my folder, selected properties 2- clicked on “advanced” button 3- checked “encrypt contents to secure data” box. then clicked on “Apply” button 4- selected “Apply to folder, subfolders and files” . then “OK”. The process began but in the middle of it, I canceled the process. but the name of the folder and a subfolder changed to green. I had tried to change it by going the same process and deselecting “encrypt contents to secure data” box but it doesn’t work. What should I do?

Does Kerberos authentication handle DNS names the same way between Windows 7 and Windows 10?

Recently, we migrated from Windows 7 to Windows 10 and during that migration, we progressively ran into some issues with our NAS device. To be more precise, we progressively noticed some tcp socket flooding on it while client computers were upgraded to Windows 10. We suspect that our NAS has some difficulties with NTLM, but this is out of this question scope.

Our NAS has a FQDN : filesvr1234.prod.company

We also have a DNS alias pointing to that FQDN : prodfiles.company

Kerberos authentication is enabled on filesvr1234.prod.company, but not on the alias prodfiles.company because we have some legacy apps that need NTLM.

We investigated on those issues by running WireShark while trying to read a file from a samba share on our NAS \prodfiles.company\shared\test.txt.

We observed the following behaviour. Both Windows 7 and Windows 10 try first to authenticate using Kerberos.

Windows 10 will try authenticate using the alias prodfiles.company (which is the expected behaviour because we access the share with \prodfiles.company\shared\test.txt). It will use NTLM. However, we noticed that Windows 7 uses the FQDN (filesvr1234.prod.company) instead of the DNS alias, even if we access the share using the alias (\prodfiles.company\shared\test.txt). It will use Kerberos.

To see this, we looked at “SNameString” in KRB5 packets (Wireshark). To summarize : We read a file in \prodfiles.company\shared\test.txt Windows 7 use filesvr1234.prod.company even if we access the share using prodfiles.company. Windows 10 use prodfiles.company

Does something changed between Windows 7 and Windows 10 that makes the authentication process to use the DNS alias instead of the FQDN ?