Kudelski Security have put up an interesting explanation of what the actual CVE-2020-0601 vulnerability is and also how it can potentially be exploited.
After reading this, I understand the basics of what was wrong in Windows implementation and how the PoC is supposed to work. The site also has a PoC setup where they generate a certificate which is signed using a rouge private key for a known CA (generated by manipulating the parameter
G and known public key of the CA).
I downloaded the generated certificate and used OpenSSL to view its details
$ openssl x509 -inform der -in cert.crt -text Certificate: Data: Version: 3 (0x2) Serial Number: 13:96:a7:9a:d9:71:d8:47:c3:fe:89:b2:b7:b6:57:40:28:9b:38:01 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=CH, ST=Vaud, L=Lausanne, O=Kudelski Security PoC, OU=Research Team, CN=github.com Validity Not Before: Jan 16 00:03:54 2018 GMT Not After : Oct 12 00:03:54 2020 GMT Subject: C=CH, ST=Vaud, L=Lausanne, O=Kudelski Security, CN=github.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:c6:54:aa:2c:11:14:b6:f5:c4:39:ea:80:95:7b: 2c:b3:76:b0:90:f5:17:ec:7d:d6:48:6e:cd:63:58: cb:80:71:6b:bc:97:f5:26:4d:d0:7f:7b:cf:cb:05: 0c:24:f3:29:55:5d:52:1d:74:2d:89:78:d9:9d:91: 96:12:c5:cb:be ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.kudelskisecurity.com, DNS:*.microsoft.com, DNS:*.google.com, DNS:*.wouaib.ch Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:f9:1b:4a:7b:d5:01:4d:f4:e3:42:5a:17:8c: 45:6f:39:ce:fd:ec:38:04:f0:78:93:84:5d:db:9c:db:41:07: a3:97:cf:f3:6d:f6:8b:7b:38:5b:95:4e:a7:1f:9e:4a:0e:02: 30:08:29:0e:f2:d8:9c:e3:e4:15:67:b7:22:f6:de:80:56:18: 01:a0:d8:3e:28:ec:6c:bf:2a:28:a2:8f:fb:8a:b7:1e:c7:8f: 25:36:22:cd:86:1d:bf:6d:fa:fd:0f:a0:6f -----BEGIN CERTIFICATE----- MIICTzCCAdWgAwIBAgIUE5anmtlx2EfD/omyt7ZXQCibOAEwCgYIKoZIzj0EAwIw fDELMAkGA1UEBhMCQ0gxDTALBgNVBAgMBFZhdWQxETAPBgNVBAcMCExhdXNhbm5l MR4wHAYDVQQKDBVLdWRlbHNraSBTZWN1cml0eSBQb0MxFjAUBgNVBAsMDVJlc2Vh cmNoIFRlYW0xEzARBgNVBAMMCmdpdGh1Yi5jb20wHhcNMTgwMTE2MDAwMzU0WhcN MjAxMDEyMDAwMzU0WjBgMQswCQYDVQQGEwJDSDENMAsGA1UECAwEVmF1ZDERMA8G A1UEBwwITGF1c2FubmUxGjAYBgNVBAoMEUt1ZGVsc2tpIFNlY3VyaXR5MRMwEQYD VQQDDApnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExlSqLBEU tvXEOeqAlXsss3awkPUX7H3WSG7NY1jLgHFrvJf1Jk3Qf3vPywUMJPMpVV1SHXQt iXjZnZGWEsXLvqNRME8wTQYDVR0RBEYwRIIWKi5rdWRlbHNraXNlY3VyaXR5LmNv bYIPKi5taWNyb3NvZnQuY29tggwqLmdvb2dsZS5jb22CCyoud291YWliLmNoMAoG CCqGSM49BAMCA2gAMGUCMQD5G0p71QFN9ONCWheMRW85zv3sOATweJOEXduc20EH o5fP8232i3s4W5VOpx+eSg4CMAgpDvLYnOPkFWe3IvbegFYYAaDYPijsbL8qKKKP +4q3HsePJTYizYYdv236/Q+gbw== -----END CERTIFICATE-----
The certificate appears to be using a valid EC curve
P-256. How can a person/process inspecting the certificate verify that it has indeed manipulated the EC parameters and is a fake?
I am currently developing an IRP that responds to system hacks.
I have attacked the Windows 10 myself (victim machine), using Metasploit on Kali Linux, where I managed to gain access via SSH port 22. From there I have modified file extensions, accessed personal folders etc on the victim machine.
As part of my IRP, is there any other useful places to look to prove an attack has taken place and files were accessed?? My IRP investigates (so far);
- Windows Event Viewer (Application, System, Security log files)
- OpenSSH log files
Any other recommendations would be very much appreciated.
Hostpoco.com is a professional web hosting company which aims to provide the best quality web hosting experience for our customers.
Now Hostpoco come with new Windows Shared Hosting plan @ only $1.5 per month along with many features like
-Allows to build a dynamic website
-High server also maintains stable on windows server
-Unlimited Email Accounts
-Unlimited Web Space
-Unlimited Sub Domains.
Windows is a solution designed by Microsoft and usually comes with a licensing cost. We also know the fact that most web applications being used today are Windows-based and hence this is the most recommended one.
Windows Shared Hosting Startup plan @ $1.5 per month:
~Single Domain Hosting
~1 MySQL Database
~1 MsSQL Databases(2005 / 2008)
~200MB MySQL/Ms Database Size
~Ms SQL Web Admin: My Little Admin
~ASP.NET 4.0, 3.5, 3.0, 2.0 & 1.1
~PHP 4.4.7 & PHP 5.2.13
~Unlimited Domain Aliases
~Unlimited FTP Accounts
~Unlimited Mailing List
~Detailed Web Statistics
~Server Side Includes (SSI)
~Plesk Control Panel
~Server Wide Virus Protection
~99.9% Uptime Guarantee
For more details and plan:https://hostpoco.com/one-dollar-windows-shared-hosting.php
I’m getting conflicting reports.
Search in Google: “windows 7” fix CVE-2020-0601
The top result (from PCWorld) claims that “contrary to earlier rumors, it does not affect Windows 7”.
Scrolling down finds a bunch of articles that claim it affects Windows 7 and newer.
Can anyone confirm if the exploit affects Windows 7, and if so is there going to be a patch available despite end of support?
(For reference: there have been a few cases of extremely bad vulnerabilities in Windows XP that got patched anyway over the years, which provides a good precedent for this to get patched in Windows 7 if applicable)
All over the news today (2020-01-14) is the story that the NSA and Microsoft have reported a critical security vulnerability in Windows 10.
But I haven’t been able to find clear instructions about how to ensure that Windows Update has worked properly.
When I click the Start button and then then type “winver” and click “Run command”, I see that I have Windows 10 Version 1803 (OS Build 17134.191)
Windows > Settings > “Update & Security” > “See what’s new in the latest update”, it bounces me to https://support.microsoft.com/en-us/help/4043948/windows-10-whats-new-in-recent-updates, which doesn’t seem to mention security at all.
The Windows Update feature itself seems flaky, confusing, and unreliable.
I’m the most tech-savvy in my large extended family, and I generally try to help others (especially older generations) keep their systems working well, but right now I’m struggling to find a set of steps I can walk them through to confirm that their systems are no longer vulnerable.
I have just configured my Windows 10 desktop PC at home to automatically log into my Windows 10 user account that my Microsoft account is linked to on startup. My desktop is in my bedroom upstairs and I trust my parents who I live with to not snoop around. However, I was wondering if this could have any security concerns beyond “your account is essentially passwordless when starting your PC”. For example, could someone abuse this usability change to steal my Microsoft password after logging in? Could someone do so through a malicious website? Could someone do so through a backdoor in an app?
In other words: which security risks does enabling automatic authentication on startup on a Windows 10 machine using a Microsoft account bring beyond guaranteeing an attacker with physical access to a non-booted machine can access my machine?
I had decided to encrypt a folder in my hard drive. This is what I did: 1- right clicked on my folder, selected properties 2- clicked on “advanced” button 3- checked “encrypt contents to secure data” box. then clicked on “Apply” button 4- selected “Apply to folder, subfolders and files” . then “OK”. The process began but in the middle of it, I canceled the process. but the name of the folder and a subfolder changed to green. I had tried to change it by going the same process and deselecting “encrypt contents to secure data” box but it doesn’t work. What should I do?
Recently, we migrated from Windows 7 to Windows 10 and during that migration, we progressively ran into some issues with our NAS device. To be more precise, we progressively noticed some tcp socket flooding on it while client computers were upgraded to Windows 10. We suspect that our NAS has some difficulties with NTLM, but this is out of this question scope.
Our NAS has a FQDN : filesvr1234.prod.company
We also have a DNS alias pointing to that FQDN : prodfiles.company
Kerberos authentication is enabled on filesvr1234.prod.company, but not on the alias prodfiles.company because we have some legacy apps that need NTLM.
We investigated on those issues by running WireShark while trying to read a file from a samba share on our NAS \prodfiles.company\shared\test.txt.
We observed the following behaviour. Both Windows 7 and Windows 10 try first to authenticate using Kerberos.
Windows 10 will try authenticate using the alias prodfiles.company (which is the expected behaviour because we access the share with \prodfiles.company\shared\test.txt). It will use NTLM. However, we noticed that Windows 7 uses the FQDN (filesvr1234.prod.company) instead of the DNS alias, even if we access the share using the alias (\prodfiles.company\shared\test.txt). It will use Kerberos.
To see this, we looked at “SNameString” in KRB5 packets (Wireshark). To summarize : We read a file in \prodfiles.company\shared\test.txt Windows 7 use filesvr1234.prod.company even if we access the share using prodfiles.company. Windows 10 use prodfiles.company
Does something changed between Windows 7 and Windows 10 that makes the authentication process to use the DNS alias instead of the FQDN ?
I’m testing wannacry in virtualbox with windows 7. However I’m trying to find packets on SMB 445 port and I don’t find any on wireshark? Anyone have an idea why that is?
I would like to wipe ALL free space on my SSD which Windows 10 is installed on, so that no previously deleted file can be recovered. How can I achieve this?