ChainOfFools AKA CurveBall AKA CVE-2020-0601

Collection of CVE-2020-0601 (#ChainOfFools | #CurveBall) resources

General

A summary from the NSA advisory states.

NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include:

• HTTPS connections
• Signed files and emails
• Signed executable code launched as user-mode processes

Blogs and Explanations

Walkthough and PoC demo from Kudelski Security

• https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/

In depth blog from Ken Whyte

• https://blog.lessonslearned.org/chain-of-fools/

Hacker News discussion

• https://news.ycombinator.com/item?id=22048619

Tal Be'ery commentary

• https://medium.com/zengo/win10-crypto-vulnerability-cheating-in-elliptic-curve-billiards-2-69b45f2dcab6

Proof of Concepts

Kudelski Securitry python PoC

• https://github.com/kudelskisecurity/chainoffools

Ollypwn ruby PoC

• https://github.com/ollypwn/cve-2020-0601

Example fake github cert for MitM or phishing

• https://twitter.com/saleemrash1d/status/1217495681230954506

Example signed malware reducing AV detections

• https://twitter.com/RedDrip7/status/1217771072180801537

Detections

3rd CurveBall blog from Tal Be'ery describing Wireshark network detections

• https://medium.com/zengo/hitting-a-curveball-like-a-pro-129c1dca427c

Microsoft have released an event log message when suspected exploitation is attempted via the CveEventWrite function

• https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-cveeventwrite

Matt Graeber has produced a powershell oneliner for host EDR detection

Get-WinEvent -FilterHashtable @{ LogName = 'Application'; Id = 1; ProviderName = 'Microsoft-Windows-Audit-CVE' } | select -Property * -ExcludeProperty MachineName, UserId

A Sigma SIEM rule from Florian Roth for us in multiple SIEM tools and based off the Microsoft event log

A detection by 0xxon for Zeekurity network morning tool to alert when custom ECC generators are observed within certificates

• https://twitter.com/0xxon/status/1217288808443441152
• https://github.com/0xxon/cve-2020-0601

Advisories

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
• https://www.cisecurity.org/advisory/a-vulnerability-in-the-microsoft-cryptographic-library-crypt32dll-could-allow-for-remote-code-execution_2020-005/
• https://www.us-cert.gov/ncas/alerts/aa20-014a
• https://www.cisa.gov/blog/2020/01/14/windows-vulnerabilities-require-immediate-attention
• https://kb.cert.org/vuls/id/849224/
• https://cyber.dhs.gov/ed/20-02/
• https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF