Écoutez la diffusion
In their first Patch Tuesday of January 2020, Microsoft patched CVE-2020-0601, aka CurveBall, a flaw in their root CA trust store that allowed anybody to forge certificates that would be recognized as trusted by Windows 10 and Windows Server 2016/2019. The flaw was first discovered by the NSA and patched without fully disclosing its details. Back then, we "reversed" it and released a POC within 48 hours of its non-disclosure. We'll see how.
More recently, a second flaw,CVE-2022-34689, was disclosed by the NSA in Windows CryptoAPI. It was patched in August 2022, but was only publicly announced in the October 2022 Patch Tuesday.
In this talk we will discover how to leverage such cryptographic flaws in order to create trusted, signed binaries or how they enable us to perform MITM attacks against unpatched Windows machines and servers! We will also address how one can defend against these and why non-disclosure is not a great idea, especially for cryptographic flaws.