An analysis of CryptoAPI’s Curveball vulnerability

Avira Protection Labs, 4 months ago 3 min read

2020 opened with a vulnerability that affected the Windows cryptographic mechanism. The United States National Security Agency (NSA) reported a critical vulnerability (CVE-2020-0601) in Window’s Elliptic Curve Cryptography (ECC) certificate validation mechanism. This vulnerability, known as Curveball, allows an attacker to bypass the normal certificate validation mechanism and create their own cryptographic certificates which appear legitimate.

In this blog, by Stefan Nicula of Avira’s Vulnerability Detection team, we will take look at the vulnerability.

Curveball

In the Vulnerability Detection team’s May 2020 update, we described CVE-2020-0601 as one of the most critical vulnerabilities of the year,  and here we will have a look at the activity around it, samples identified and the patches applied.

The CRYPT32.DLL library is a part of the Windows CryptoAPI system. It is one of the core cryptographic libraries that Windows uses to verify the validity of cryptographic certificates. The vulnerability CVE-2020-0601 known as ‘CurveBall‘ enables an attacker to bypass the normal certificate validation mechanism. This allows them to create their own cryptographic certificates that appear legitimate and can be trusted by Windows.

This vulnerability exposes Windows hosts to a broad range of exploitation vectors. A few examples where the cryptographic validation may be compromised include:

  • Files and email signature verification,
  • Potential update service traffic,
  • HTTPS connections and Man in the Middle attacks

With regard to the last bullet point, it is worth considering the way browsers validate certificates for HTTPS connections: The Mozilla Firefox browser uses libnss instead of crypt32 while Chromium-based browsers such as Edge and Chrome, deployed a patch to mitigate the Curveball vulnerability.

Note that the Windows Update uses RSA certificates rather than ECC. The RSA certificate chain is pinned in the Windows update binary leaving no room for exploitation in this scenario. However, other Windows services could potentially be at risk.

Key bytes and key parameters

Certificates using ECC keys have two parts, key bytes and key parameters, and these must match when certificates are compared. The vulnerability makes it possible to generate an ECC key that matches in key bytes but not in key parameters. When the CryptoAPI code fails to make a complete check and compare both,  ECC keys with the same key bytes but with different key parameters can be considered to be the same public key – and an exploit exists.

Patch analysis

Microsoft has added a CVE Event for EventLogger to be notified each time a corrupted ECC implementation is being used “[CVE-2020-0601] cert validation” identifier.

To explore the patch we compare two versions of the crypt32.dll files.

  • Version 10.0.17134.1130 updated on November 2019, the unpatched version
  • Version 10.0.17134.1246 updated on January 2020, the patched version

To observe the behavioral difference between versions, we run a BinDiff on both the files.

Figure 1 – Using BinDiff on both the patched and unpatched versions of the crypt32.dll

we see function CveEventWrite() called by ChainLogMSRC54294Error(), two new functions added in the patch.

Figure 2 – The CveEventWrite function call from ChainLogMSRC54294

The function ChainLogMSRC54294() is the new logging function that Microsoft uses to index potential exploits. The [CVE-2020-0601] cert validation string is passed as an argument to call the function that informs EventLogger of the potential exploit.

Figure 3 – Cross-reference to ChainLogMSRC54294() links to ChainGetSubjectStatus()

Tracing the function, we see that the call was made by ChainGetSubjectStatus(). Looking at Figure 1, it can be seen that most of the changes between the DLL versions have been made on this function, and ChainComparePublicKeyParametersAndBytes() is called by ChainGetSubjectStatus(). As seen in the figure below:

Figure 4 – Surrounding context view of the ChainLogMSRC54294()call

A cross-reference to ChainGetSubjectStatus() shows a new call to ChainComparePublicKeyParametersAndBytes() before the signature is verified.

To see these changes on a decompiler, we use the Ghidra’s Version Tracking functionality and compare the two DLL versions.

Figure 5 – Ghidra’s Version Tracking for ChainGetSubjectStatus()

Analyzing the difference between DLL versions, we see Microsoft’s patch implemented and the vulnerable function.  An event log is assigned to identify potential abuses.

Conclusion

Analysis shows that samples found in the wild were not exploiting the Curveball vulnerability. Many samples following the initial public disclosure of the vulnerability were using some form of PoC testing by researchers.

However, we have seen some interesting samples such as versions of mimikatz, a popular post-exploitation tool. These were signed with a malformed signature designed to exploit the faulty ECC check implementation. We also see rogue client installations targeting common software like 7zip and antivirus solutions. As expected, this vulnerability received lot of attention considering the potential impact that it had. Employing a strong detection will prevent potential use of the CryptoAPI vulnerability.

Avira is continuously looking for ways to assist its partners with detection and protection against vulnerabilities and exploits. We want to reiterate the recommendation and importance of applying official Microsoft patches as soon possible.

Avira detected the exploits as:

HEUR/CVE20200601.Gen

TR/RedCap

TR/Agent

IOCs

95597ed5ed579d4fe1e9a2177c29178038e4f837998bc058c94ede6ec55b7547

7078fa5f0d7399756330852ff5cff75ba49b9dc180cfc3a7bb3c20019bba5476

3693f91161164d3a22cd62915406d329ee2633da90cc70fcf2c08c8b58163185

fd2b5cdc825313712fe97cf33cd70b12238760e65621f33cb419d9dc6ac28000

10903312ad5cee5ee255b7022c2ad0295640acc586ceb855a801a12bbcd13173

8e6d9b470f27b27a2297c937d3be8c037064dd5dbe20314d70d99cdc6ca3ec74

c0d417e29c428eceefb249de8d87255ea29ec228a553f9ae453c3651d371bc95

42ec686f57811d8e3e27dacf75cde8d657792a321ed5d1808bd5ce361106eb8a

c0d417e29c428eceefb249de8d87255ea29ec228a553f9ae453c3651d371bc95

631cc7ce05029bb1305dc5264800690cc2cedf8d71faa81be1dce92f069d77fa

d9c3253c74e6c84fb3870e62e68187b145af98c01470b294b3692d6efe981af6

34a51f06455dc8a17d7604a78a93fcffb9cb92886b56b420c4e35d1c91117e5f

06c4a11b0250f563f75496b026a8da3d5ca4f07e7db45af3691711099cd28dc2

33e18daef48bf2be5723a17267f217267eb47e3ceee7127b8f595795cf99ad6d

cb44adb18b58bf10e04a4775290d124122bddf47492abcb38c32e970289a1397

f7ca17c08dc121e2f36fef59194b92133a9bb7422adadfb53c67078260d02d53

42ec686f57811d8e3e27dacf75cde8d657792a321ed5d1808bd5ce361106eb8a

19425bc63aef9bae74c139e75185625319b65f62a255cc5a5a0af899275270dd

979ef0960aea4dcdfcd576947e66c5f13db0f2b69b030ba79c534f9958236738

f498115493d700f41777b4441ba4f449e3e89fbcf2753bc502059c1a64013917

91facc917e788ce9e047e5bcafc63dd257c83e2236b1a15fa411ec206f82a029

8f26aca16c7d1b073557bbdec27360f4b0bbe3015aa2c396182f565ff5766502

c4e5245858ae6ea9abe23682ef8c14352224514213e13b80f15d37f118644208

f5e89e756fffa75d58a4bb8900bfc876d1536db62b8248c74b9d558201b2b1aa

439c3699cfefb33f5158e4489712c3a82bc9376def37b8ba2b8510cb79e5808b

085b5cf320a71d5a6fc7f3df594380abdafd8f3c3263235c3bf462f1c47890aa

544221456a4285a4a0ad3ad9927bfc7d69cd96f11c215a3d09801e9e456e3b6f

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.
An analysis of CryptoAPI’s Curveball vulnerability

Avira Protection Labs

Protection Lab is the heart of Avira’s threat detection and protection unit. The researchers at work in the Labs are some of the most qualified and skilled anti-malware researchers in the security industry. They conduct highly advance research to provide the best detection and protection to nearly a billion people world-wide.

You might like

Malware

Q1 2020 Malware Threat Report

Q1 2020 Malware Threat Report

Q1 2020 Malware Threat Report detailing the threats detected by Avira Protection Labs.

4 months ago 2 min read
Expert Perspectives

Vulnerability update – May 2020

Vulnerability update – May 2020

In this report we will take a look at some of the more interesting vulnerabilities of early 2020.

4 months ago 3 min read
Research

The evolution of Mirai into HolyMirai

The evolution of Mirai into HolyMirai

We present a study of the core similarities, differences, and evolution of the original Mirai and its new variant, HolyMirai.

8 months ago 6 min read