On Tueday, a critical vulnerability in Microsoft's CryptoAPI was patched - it can allow an attacker to generate a CA that is considered trusted by the system, allowing attacks on TLS, code signing and co.
In this video, we look at how exactly that vulnerably works, and how we can attack it using Oliver Lyak's proof-of-concept!
If you don't know public key cryptography or want to learn more about EC, check the ArsTechnica EC primer: arstechnica.com/information-t...
The awesome PoC: github.com/ollypwn/CVE-2020-0601
Thomas Ptacek's explanation: news.ycombinator.com/item?id=...
The NSA advisory: media.defense.gov/2020/Jan/14...
Kudelski Blogpost: research.kudelskisecurity.com...
ArsTechnica Article: arstechnica.com/information-t...
Негізгі бет Ғылым және технология CVE-2020-0601 aka Curveball: A technical look inside the critical Microsoft CryptoAPI vulnerability
Пікірлер: 74