Friday, March 29, 2024
HomeSECURITYAn exploit has been created that allows you to forge a certificate...

An exploit has been created that allows you to forge a certificate and take over a legitimate site

-


An exploit has been created that allows you to forge a certificate and take over a legitimate site

The victim will not notice the substitution, and the attacker will collect all the confidential data.

Akamai researchers have developed an experimental exploit (PoC) for a public x.509 certificate forgery vulnerability in Windows CryptoAPI that was disclosed last year.

Microsoft silently fixed the bug CVE-2022-34689 in August 2022, but only revealed it publicly in October. Researchers at Akamai published this week PoC exploit , which allows an attacker to forge the target certificate and disguise itself as any site. In this case, the affected browser will display a green padlock icon indicating a secure connection, even if the connection is completely controlled by the hacker.

CryptoAPI is a Windows Application Programming Interface that developers use to provide cryptography in their applications. One of the roles of CryptoAPI is the authentication of digital certificates. And it is in this function that there is a vulnerability, as the researchers said.

To verify the authenticity of a certificate, CryptoAPI first checks to see if it already exists in the receiving application’s certificate cache. If so, CryptoAPI treats the received certificate as verified. Prior to fixing the vulnerability, CryptoAPI checked for the existence of a certificate in the cache by simply comparing fingerprints of MD5 hashes. If the MD5 thumbprint of the received certificate matched the MD5 thumbprint of the certificate in the cache, CryptoAPI considered the received certificate to be verified, even if the actual content of the two certificates did not exactly match. This opens the door for cyber attacks to inject an attacker’s certificate.

Akamai experts first created 2 certificates – one with a legitimate signature and the other with a malicious one – and tweaked them so that they both had the same MD5 fingerprint. They then spoofed a real CryptoAPI certificate (in this case, an old version of Chrome – v48). After the application validated the certificate and stored it in the end certificate cache, Akamai showed how a cybercriminal could use MiTM-attack to pass a second malicious certificate to the same application and verify its authenticity.

According to experts, once the MD5 fingerprint is calculated, the attack can be easily carried out. How the attacker performs the next two phases of the attack (serving two certificates) depends on the type of target application – in browsers, a simple connection reset after the first phase ends, the browser immediately tries to reconnect. At this point, the attack enters its second phase.



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular