{"id":10512,"date":"2017-11-16T10:10:09","date_gmt":"2017-11-16T18:10:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/11\/16\/news-4284\/"},"modified":"2017-11-16T10:10:09","modified_gmt":"2017-11-16T18:10:09","slug":"news-4284","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/11\/16\/news-4284\/","title":{"rendered":"When you shouldn’t trust a trusted root certificate"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Thu, 16 Nov 2017 17:30:00 +0000<\/strong><\/p>\n

Root certificates are the cornerstone of authentication and security in software and on the Internet. They’re issued by a certified authority (CA) and, essentially, verify that the software\/website owner is who they say they are. We have talked about certificates<\/a> in general before, but a recent event triggered our desire for further explanation about the ties between malware and certificates.<\/p>\n

In a recent article by RSA FirstWatch,<\/a> we learned that a popular USB audio driver had silently installed a root certificate. This self-signed root certificate was installed in the Trusted Root Certification Authorities store. Under normal circumstances, you would have to agree to \u201cAlways trust software from {this publisher}” before a certificate would be installed there.<\/p>\n

However, the audio driver skipped this step of prompting for approval (hence “silently” installing).\u00a0 The silent install was designed to accommodate XP users, but it had the same effect in every Windows operating system from XP up to Windows 10. The installer was exactly the same for every Windows version. Ironically enough, the certificate wasn\u2019t even needed to use the software. It was just introduced to complete the installation on Windows XP seamlessly.<\/p>\n

Why is this a bad thing?<\/h3>\n

Root certificates can be installed for purposes such as timestamping, server authentication, code-signing, and so on. But this particular driver installed a certificate valid for \u201cAll\u201d purposes. So any system with these drivers installed from any of the vendors will trust any certificate issued by the same CA\u2014for \u201cAll\u201d purposes. Under normal circumstances, only a certificate issued by Microsoft would have \u201cAll\u201d in the root certificates \u201cIntended Purposes\u201d field.<\/p>\n

Having a certificate in the Trusted Root Certification Store for “All” intended purposes on a Windows system gives anyone that has the private key associated with the certificate the ability to completely own the system on which it is installed. The impact is the same as for any Certificate Authority (CA) behind certificates installed on Windows systems.<\/p>\n

\"certmgr\"<\/p>\n

An exception is that in some instances large companies may choose to do the same with the intent to perform SSL decryption at the perimeter for outbound traffic. So, not only does silently adding a root certificate break the hierarchical trust model of Windows. It also gives any owner of the private key that goes with that certificate a lot of options to perform actions on a computer with that certificate installed.<\/p>\n

How can they be abused?<\/h3>\n

An attacker who gets ahold of the private key that belongs to a root certificate can generate certificates for his own purposes and sign them with the private key. Any certificate with the root certificate already in their Trusted Root Certification Store on a Windows system will trust any certificate signed with the same private key for \u201cAll\u201d purposes. This applies to software applications, websites, or even email. Anything from a Man-in-the-Middle (MitM)<\/a> attack to installing malware is possible. And as if this wasn\u2019t bad enough, security researchers at the University of Maryland<\/a> found that simply copying an authenticode signature from a legitimate file to a known malware sample can cause antivirus products to stop detecting it, even though it results in an invalid signature.<\/p>\n

Methods of abuse<\/h4>\n

There are several ways of abusing certificates by criminals. They can:<\/p>\n