Skip to content

/ badecparams

Proof of Concept for CVE-2020-0601
Python HTML
  1. Python 98.4%
  2. HTML 1.6%
Branch: master
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio

If nothing happens, download the GitHub extension for Visual Studio and try again.

@saleemrashid
saleemrashid README: Add Google Chrome screenshot
Latest commit 23c0f0d Jan 17, 2020
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
www Initial commit Jan 17, 2020
.gitignore gitignore: Remove *.pem exclusion Jan 17, 2020
README.md README: Add Google Chrome screenshot Jan 17, 2020
badecparams.py README: Add Authenticode screenshot Jan 17, 2020
comodoecccertificationauthority-ev-comodoca-com-chain.pem gitignore: Remove *.pem exclusion Jan 17, 2020
httpd.py Initial commit Jan 17, 2020
screenshot.png badecparams: Remove caching requirement, fix EV certificates Jan 17, 2020
screenshot2.png README: Add Authenticode screenshot Jan 17, 2020
screenshot3.png README: Add Google Chrome screenshot Jan 17, 2020

README.md

BADECPARAMS

Proof of Concept for CVE-2020-0601.

Screenshot of Extended Validation certificate for www.nsa.gov in Microsoft Edge Screenshot of 7-Zip installer with Authenticode digital signature Screenshot of certificate for www.nsa.gov in Google Chrome

badecparams.py generates an intermediate certificate authority that exploits the vulnerability, then issues Authenticode and TLS certificates. The TLS certificates have Extended Validation in Microsoft Edge and Internet Explorer.

httpd.py serves the contents of the www subfolder over HTTPS, using the PEM encoded certificate chain provided on the command line.

./badecparams.py
./httpd.py localhost.key

Vulnerable Software

Windows Update is not vulnerable because it uses public key pinning and RSA keys.

The latest Windows Defender antivirus definitions detect executables signed with malicious Authenticode certificates, even on machines without Microsoft's patch.

Microsoft Edge, Internet Explorer, and Chromium (and derivatives) are vulnerable to the TLS variant. Firefox is not vulnerable because Mozilla's Network Security Services (NSS) does not support explicit EC parameters and uses its own implementation for certificate verification.

Chrome 79.0.3945.130 fixes the vulnerability and throws NET::ERR_CERT_INVALID, even on machines without Microsoft's patch.

You can’t perform that action at this time.