Test001

Why are <A href=https://www.trustprobe.com/>links</A> and images suddenly broken?

<IMG SRC=http://i.imgur.com/u6JMW75.png>

Fake Google Root Certificates Seen in the Wild

I’ve received user reports about a suspicious Google root certificate that my RCC scanner picked up on their Windows systems. The details of the root cert are as follows:

Sha1 thumbprint:    33FCD70343BBE07972D73CDEFDEB3C9F4DCEFE28 
Validity:           2015-07-21 23:05:08 -> 2020-07-20 23:05:08 
Usage:              Enabled for all purposes

The .CER file is available <A href=https://www.trustprobe.com/TI/fake_google.cer>here.</A> (careful!)

<IMG SRC=http://i.imgur.com/u6JMW75.png>

Checking against the official trust stores, it quickly became obvious this was a forged root certificate.

After some more research I discovered a whole bunch of shady installers for popular software
that have digital signatures chaining up to the above root. A few examples include:

MD5                                 FILENAME
0b01e26a59e7c37089277b71a0fd1f62	Pepper_Flash_Player_19.0.0.185.plugin.paf.exe
9e7ab1c2046f8af7f1c80ad8357accb1	officeportable_9.1.0.5217_multilingual_rev.4.paf.exe
c4e9005a5ca9bf03f0d74cfe389ba120	JDownloaderPortable_2.0.paf.exe
27236776af91c15d318422303ff610fe	EverythingPortable_...lingual_Rev.1_online.paf.exe 
3733bbb42d9d2c9c72f99ab33eb0e385    easeus data recovery wizard te x86+x64 9.5.0.paf.exe
c2b8f1f44c6e9f444e4db75d5df48ae1    jreDownloader_8.0.660.18_32bit_64bit.plugin.paf.exe
21d7c80baf93c2bc7fe896a10fc3b697	ChromePortable.exe

So far it seems the root has been primarily used to issue Authenticode certificates, but since it has all EKUs enabled, it could be misused to cause much more damage.

What I could not find out with my limited resources is how it gets added to the trusted certificate stores of some PCs in the first place.

Both Google and Microsoft security were notified.

Stay safe!

Edit 1: There are unconfirmed reports of a second certificate, mostly similar to the above but with a different thumbprint.

Windows 10 Lock Screen Leaks Clipboard Contents

Earlier this year, Norwegian MVP <A HREF=https://twitter.com/Oddvarmoe>Oddvar Moe</A> made a rather shocking discovery that went mostly under the radar. On Windows 10, there is a way to read clipboard contents right from the lock screen, without any form of authentication. This would especially be a problem in enterprise environments, where any coworker could easily go through a few PCs at lunch time and harvest potentially juicy information (such as passwords) without leaving any traces.

The frighteningly simple PoC goes as follows:

1. Win+L: Lock workstation
2. Win+ENTER: Start Narrator
3. CapsLock+F1: Open Narrator Help
4. Ctrl+V: Profit!

By the way, this can also be achieved through the WiFi selector UI, right on the lock screen again.

The issue affects all editions of Windows 10. According to Moe, Microsoft does not consider this to be a security issue as it requires physical access.

Possible mitigations include disabling these features through the appropriate Group Policy settings, or using <A HREF=https://www.trustprobe.com/fs1/apps.html>ClipTTL</A>, which is a small utility I wrote to protect against this and other cases of accidental clipboard pasting (Do contact me before deploying ClipTTL in an enterprise environment).

Update 2017-02-16 Windows 8.1 confirmed to be affected too.

14 new trusted root certificates added to Windows in unannounced update

My monitoring scripts raised an alert a few days ago: Microsoft has just quietly updated its Root CTL (Certificate Trust List), increasing its size to 356 roots.

The <a href=http://social.technet.microsoft.com/wiki/contents/articles/31680.microsoft-trusted-root-certificate-program-updates.aspx>official</a> <A href=http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx>channels</a>, which normally announce and document such updates well in advance, are oddly silent about this one, and the new CTL is already being pushed to all Windows systems (including servers).

A quick <A HREF=https://www.wilderssecurity.com/threads/rcc-check-your-systems-trusted-root-certificate-store.373819/>RCC</A> scan (shameless plug!) highlights the following entries as new:

1e0e56190ad18b2598b20444ff668a0417995f3f	LU    LuxTrust Global Root 2
5463283b6793ff55277cede39098e80422f912f7	CO    AC Raiz Certicamara S.A.
3143649becce27eced3a3f0b8f0de4e891ddeeca	TR    TUBITAK Kamu SM SSL Kok Sertifikasi  Surum 1
e252fa953feddb2460bd6e28f39ccccf5eb33fde	HR    SZAFIR ROOT CA2
3f0feb17a7ef5804cfd90a77b7bb021ea69c6418	GR    BYTE Root Certification Authority 001
a69e0336c4e59023ff653c71f928eb73f21c00f0	CA    Carillon Information Security Inc.
d99b104298594763f0b9a927b79269cb47dd158b	TW    ePKI Root Certification Authority - G2
81ac5de150d1b8de5d3e0e266a136b737862d322	TW    ePKI Root Certification Authority - G2
c3197c3924e654af1bc4ab20957ae2c30e13026a	US	  SSL.com Root Certification Authority ECC
b7ab3308d1ea4477ba1480125a6fbda936490cbb	US    SSL.com Root Certification Authority RSA
4cdd51a3d1f5203214b0c6c532230391c746426d	US    SSL.com EV Root Certification Authority ECC
1cb7ede176bcdfef0c866f46fbf980e901e5ce35    US    SSL.com EV Root Certification Authority RSA
d3dd483e2bbf4c05e8af10f5fa7626cfd3dc3092	PL    Certum Trusted Network CA 2
d496592b305707386cc5f3cdb259ae66d7661fca	ES    ACA ROOT

Trusting new CAs is always a big deal, so advanced users and enterprise admins may use the above list to research these new roots and decide which ones they actually want to trust. And I’m currently working on a trust store hardening product, which will make it easy to drastically reduce your exposure to unnecessary CAs. Stay tuned!

Update 13-Oct-2016: Microsoft confirms the <a href=http://social.technet.microsoft.com/wiki/contents/articles/31680.microsoft-trusted-root-certificate-program-updates.aspx>release</a>.

<A href=https://twitter.com/hexatomium>Follow</A> @hexatomium for more updates and the occasional crazy thought.

Windows 10 has an undocumented certificate pinning feature

After getting to play with Windows 10 for a few hours, something unexpected caught my attention.

<img src=https://i.imgur.com/7MJQmGV.png>

Hey, there’s some new stuff in there - a third, undocumented CTL!
Googling for ‘PinRulesEncodedCtl’ turned up nothing at all. The first few bytes of the binary data (30 82 .. .. 06 09 2a 86 48) looked familiar though: it was probably ASN.1 encoded data, just like the other two well-documented CTLs. That meant I could probably just feed the blob into my existing tools for quick and painless decoding.

Success! We get a nice list of 152 Microsoft-owned domains.

Subject Identifier: .files-df.1drv.com
Subject Identifier: .files.1drv.com
Subject Identifier: .aadrm.com
Subject Identifier: .afx.ms
Subject Identifier: .akadns.net
Subject Identifier: .aspnetcdn.com
Subject Identifier: .azure-int.net
Subject Identifier: .azure-mobile.net
Subject Identifier: .azure.com
Subject Identifier: .cloudapp.azure.com
Subject Identifier: azure.com
Subject Identifier: .azure.net
Subject Identifier: .cloudapp.azure.net
Subject Identifier: .azureedge.net
Subject Identifier: .azurewebsites.net
Subject Identifier: .bing-exp.com
Subject Identifier: .bing-int.com
Subject Identifier: .bing.com
Subject Identifier: bing.com
Subject Identifier: download.cortana.cn.bing.com
Subject Identifier: .bing.net
Subject Identifier: .ceipmsn.com
Subject Identifier: .cloudapp.net
Subject Identifier: .codeplex.com
Subject Identifier: .discoverbing.com
Subject Identifier: .getmicrosoftkey.com
Subject Identifier: .gfx-int.ms
Subject Identifier: gfx-int.ms
Subject Identifier: .gfx.ms
Subject Identifier: .healthvault-ppe.co.uk
Subject Identifier: .healthvault-ppe.com
Subject Identifier: healthvault-ppe.com
Subject Identifier: .healthvault.co.uk
Subject Identifier: .healthvault.com
Subject Identifier: .hotmail-int.com
Subject Identifier: hotmail.co.uk
Subject Identifier: .hotmail.com
Subject Identifier: hotmail.com
Subject Identifier: iespdytst
Subject Identifier: ieta-wa-24
Subject Identifier: .live-int.com
Subject Identifier: .live-int.net
Subject Identifier: .live-partner.com
Subject Identifier: .live-ppe.net
Subject Identifier: .live.com
Subject Identifier: .live.fi
Subject Identifier: live.fi
Subject Identifier: .live.net
Subject Identifier: .livefilestore-int.com
Subject Identifier: .livefilestore.com
Subject Identifier: .livemeeting.com
Subject Identifier: .lync.com
Subject Identifier: .mesh.com
Subject Identifier: .mgmt.live
Subject Identifier: .microsoft-int.com
Subject Identifier: .microsoft.com
Subject Identifier: .redmond.corp.microsoft.com
Subject Identifier: download.microsoft.com
Subject Identifier: iespdytst.redmond.corp.microsoft.com
Subject Identifier: microsoft.com
Subject Identifier: powerusers-staging.microsoft.com
Subject Identifier: powerusers.microsoft.com
Subject Identifier: telecommand.telemetry.microsoft.com
Subject Identifier: vortex-sandbox.data.microsoft.com
Subject Identifier: watson.telemetry.microsoft.com
Subject Identifier: .microsoft.com.au
Subject Identifier: .microsoft.com.tr
Subject Identifier: .microsoft.fr
Subject Identifier: .microsoftonline-int.com
Subject Identifier: .microsoftonline-p-int.com
Subject Identifier: .microsoftonline-p.com
Subject Identifier: .microsoftonline-p.net
Subject Identifier: .microsoftonline.com
Subject Identifier: .microsoftonline.net
Subject Identifier: .microsoftprime.com
Subject Identifier: .microsoftstore.com
Subject Identifier: za.microsoftstore.com
Subject Identifier: .microsoftstore.com.br
Subject Identifier: .microsoftstore.com.cn
Subject Identifier: .microsoftstore.com.hk
Subject Identifier: .microsofttranslator.com
Subject Identifier: .microsoftvirtualacademy.com
Subject Identifier: .modern.ie
Subject Identifier: modern.ie
Subject Identifier: .msads.net
Subject Identifier: .vo.msecnd.net
Subject Identifier: .msgamestudios.com
Subject Identifier: .msn-int.com
Subject Identifier: .msn.cn
Subject Identifier: .msn.co.jp
Subject Identifier: .msn.com
Subject Identifier: .msn.com.cn
Subject Identifier: .msocdn.com
Subject Identifier: .firstpartyapps.oaspapps.com
Subject Identifier: .office-int.com
Subject Identifier: office-int.com
Subject Identifier: .office-int.net
Subject Identifier: .office.com
Subject Identifier: office.com
Subject Identifier: .office.net
Subject Identifier: .office365.com
Subject Identifier: .officeppe.com
Subject Identifier: .officeppe.net
Subject Identifier: .onedrive.com
Subject Identifier: onedrive.com
Subject Identifier: .onenote.com
Subject Identifier: onenote.com
Subject Identifier: .onenote.net
Subject Identifier: outlook-int.com
Subject Identifier: .outlook.com
Subject Identifier: 003-1-d.outlook.com
Subject Identifier: 003-1-d.prod.outlook.com
Subject Identifier: outlook.com
Subject Identifier: pod71084-pri.outlook.com
Subject Identifier: pod71084.outlook.com
Subject Identifier: .pfx.ms
Subject Identifier: .s-microsoft.com
Subject Identifier: .s-msft.com
Subject Identifier: .s-msn.com
Subject Identifier: .sfx-df.ms
Subject Identifier: .sfx-int.ms
Subject Identifier: .sfx.ms
Subject Identifier: .sharepoint.com
Subject Identifier: .sharepointonline.com
Subject Identifier: .skype.com
Subject Identifier: community-stage.skype.com
Subject Identifier: .skype.net
Subject Identifier: .skypeassets.com
Subject Identifier: .sqlazurelabs.com
Subject Identifier: .surface.com
Subject Identifier: .syncxp.net
Subject Identifier: .trouter.io
Subject Identifier: .virtualearth.net
Subject Identifier: .visualstudio.com
Subject Identifier: visualstudio.com
Subject Identifier: .windows-int.net
Subject Identifier: .windows.com
Subject Identifier: insidersurveys.windows.com
Subject Identifier: www.insidersurveys.windows.com
Subject Identifier: .windows.net
Subject Identifier: .windowsazure.com
Subject Identifier: .windowsmedia.com
Subject Identifier: .windowsphone-int.com
Subject Identifier: .windowsphone-int.net
Subject Identifier: .windowsphone.com
Subject Identifier: .windowsphone.net
Subject Identifier: .windowssearch.com
Subject Identifier: .windowsstore.com
Subject Identifier: .wlxrs.com
Subject Identifier: .xbox.com
Subject Identifier: .xboxlive.com
Subject Identifier: .zune.net

Also, the lastsync timestamp (2016-09-24 14:22:44 UTC) shows that this list is being regularly updated.

So this very much looks like evidence of an active system-wide certificate pinning mechanism protecting against MITM attacks on high-value Microsoft domains. Which, per se, is a good thing! Some official documentation would be nice, though.

Edit 1 (2016-09-24): This seems to be - at least partially - related to Telemetry, as briefly mentioned at the only page I could find: https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization

Edit 2 (2016-09-27): After some more decoding: here’s the list of root CAs the above domains are pinned to:

Baltimore CyberTrust Root
DigiCert High Assurance EV Root CA
Entrust Root Certification Authority - G2
Entrust.net Certification Authority (2048)
GeoTrust Global CA
GlobalSign Root CA
GTE CyberTrust Global Root
Microsoft Root Certificate Authority
Microsoft Root Certificate Authority 2011
thawte Primary Root CA - G3
VeriSign Class 3 Public Primary Certification Authority
VeriSign Class 3 Public Primary Certification Authority - G5