ECC Curveball - Cryptoapi.dll ECC certificate spoofing
Metadata
| Release date | 14.01.2020 |
| Author | ? Unknown ? |
| Classification | Certificate spoofing / MITM |
| Patched | yes |
| Patch date | 14.01.2020 |
| First patched system version | 10.0.18363.9135 (19h1_release_xbox_dev_2002.200219-1515) |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2020-0601 / https://github.com/saleemrashid/badecparams |
| Download | XboxOneResearch GIT |
Info
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
(Source: https://nvd.nist.gov/vuln/detail/CVE-2020-0601)
Prerequisites
Xbox console running Windows 10.
-
First vulnerable version: 10.0.10586.1006 (th2_xbox_rel_1510.151107-2322) fre
- Released: 2015-11-12
-
Last vulnerable version: 10.0.18363.8124 (19h1_release_xbox_dev_1911.191202-1836)
- Released: 2019-12-09
Instructions
- Setup DNS server or port forwarding that routes (SSL) Xbox traffic to the MITM host
- Adjust certificate validity timespan in certificate generation script
- Generate spoofed certificate
- Serve spoofed certificate via
httpd.py
Alternatively, a mitm-proxy software can be used.
Authors: