[cryptography] Microsoft Sub-CA used in malware signing

Erwann Abalea eabalea at gmail.com
Mon Jun 11 05:31:27 EDT 2012


2012/6/11 Ben Laurie <ben at links.org>

> On Mon, Jun 11, 2012 at 1:56 AM, Nico Williams <nico at cryptonector.com>
> wrote:
> > On Sun, Jun 10, 2012 at 3:03 PM, Florian Weimer <fw at deneb.enyo.de>
> wrote:
> >> * Marsh Ray:
> >>
> >>> Marc Stevens and B.M.M. de Weger (of
> >>> http://www.win.tue.nl/hashclash/rogue-ca/) have been looking at the
> >>> collision in the evil CN=MS cert. I'm sure they'll have a full report
> >>> at some point. Until then, they have said this:
> >>
> >>>> [We] have confirmed that flame uses a yet unknown md5 chosen-prefix
> >>>> collision attack.
> >>
> >> Does this mean they've seen the original certificate in addition to
> >> the evil twin?
> >
> > The evil twin has the nasty bits[*] in the issuerUniqueID field, which
> > is weird, and the ID is not one likely to be generated by any CA.
> > Would the original have it??  I don't see why the TS CA would have
> > issued certs with issuerUniqueIDs under any circumstances, which is
> > why it's interesting the the evil twin had any evil bits.
>
> Surely the whole point is that the collision is used to switch
> <something> to issuerUniqueID in order to hide the stuff that would've
> stopped the cert from working. I haven't looked, but I'm prepared to
> bet it would not be hard to figure out what the original cert must
> have looked like.
>
> Has anyone got the evil cert as a binary? I could probably reconstruct
> it from the bazillion dumps out there, but I can't be bothered.
>
>
Based on dumps found "ici et là", the issuerUniqueID is filled with
extensions, and one of them is a Microsoft proprietary (1.3.6.1.4.1.311.18.xxx)
and set critical. This extension itself prevents the certificate to be used
on post-Vista machines. The others are CRLDP, EKU, maybe other things. This
is obviously the result of the chosen-prefix attack (just like it was
demonstrated with MD5 Rogue CA).

The resulting evil certificate has no extension at all.

Paper by Marc Stevens (
http://www.cwi.nl/system/files/PhD-Thesis-Marc-Stevens-Attacks-on-Hash-Functions-and-Applications.pdf)
presents a detection method for a chosen-prefix attack using only one of
the message pair.

-- 
Erwann.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120611/b4d0d3a1/attachment.html>


More information about the cryptography mailing list