Didier Stevens

Monday 1 October 2012

Searching For That Adobe Cert

Filed under: Encryption,Forensics,My Software — Didier Stevens @ 19:24

You probably know by now that Adobe will revoke a compromised code signing certificate in a couple of days. As we seem to have more code signing related security incidents recently, I started to develop a couple of new tools.

AnalyzePESig is a tool to check signatures in PE files, just like Sysinternals’ sigcheck. But with a couple of differences.

First, when a signature is not valid, AnalyzePESig will tell you why and still display information about the invalid signature and related certificates. Second, AnalyzePESig displays more information and third, it is open source.

Here is how you use AnalyzePESig to look for executables signed with that Adobe certificate that will soon be revoked:

analyzepesig -e -v -s -o windows.csv c:\windows

This will produce a CSV list of all executables found in the c:\windows directory.

Filter this list for lines including string fdf01dd3f37c66ac4c779d92623c77814a07fe4c (this is the fingerprint of the compromised certificate):

As you can see, I’ve Flash components signed with this compromised certificate. Now, this does not mean that these executables are compromised. To get a better idea, I can use my virustotal-search tool to search VirusTotal.

And here is another example, JP2KLib.dll, a DLL of Adobe Reader X:

AnalyzePESig_V0_0_0_1.zip (https)
MD5: 4BE29E4A5DE470C6040241FD069010C4
SHA256: FB83C6491690402273D42A3335777E77EA29328F5FE8503FF6F5EF62833D1FBC

10 Comments »

  1. I ran your example command against %windir% — no hits. This is Windows 8, Consumer Preview, Build 8250 running in Parallels.

    However, when running the command I got from time to time “FindFirstFile failed” output lines on %stderr% (in total about 40x).

    The windows.csv has 37.008 lines (37 MBytes). Is it correct that the CSV lines have up to 36 fields (or even more?) each?

    Comment by Anonymous — Tuesday 2 October 2012 @ 0:33

  2. @Anonymous The FindFirstFile error occurs if the program can not access a directory. You probably ran the program without elevation.
    There are 19 fields. The separator is ; because , is already present in some of the fields.

    I will post another blogpost with more details about the tool, here I wanted to get it out for the Adobe certificate.

    Comment by Didier Stevens — Tuesday 2 October 2012 @ 8:35

  3. […] (que seguro tenemos, se puede usar esta herramienta para saberlo), se encuentren comprometidas. https://blog.didierstevens.com/2012/10/01/searching-for-that-adobe-cert/ No se sabe desde cuándo ha podido estar comprometido el certificado y un potencial atacante ha […]

    Pingback by ¿Qué ha pasado con el certificado de Adobe? | Capitan Crunch — Tuesday 2 October 2012 @ 14:18

  4. […] de Adobe firmadas con este certificado que tenemos en nuestro sistema (que seguro tenemos, se puede usar esta herramienta para saberlo), se encuentren comprometidas. No se sabe desde cuándo ha podido estar comprometido el certificado […]

    Pingback by ¿Qué ha pasado con el certificado de Adobe? | Virus Expert — Tuesday 2 October 2012 @ 15:42

  5. Didier, you can add the Adobe Connect web conferencing software to your list of things signed by the compromised certificate. Here’s the output of your tool, converting semicolons to line feeds:

    %USERPROFILE%\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectaddin.exe
    1203d5deb4c6413e1b52127259b659e1
    6.72158
    1
    0 The operation completed successfully.
    0
    VeriSign Class 3 Code Signing 2010 CA
    Adobe Systems Incorporated
    2012/02/17 16:12:25
    C=US, O=”VeriSign, Inc.”, OU=VeriSign Trust Network, OU=”(c) 2006 VeriSign, Inc. – For authorized use only”, CN=VeriSign Class 3 Public Primary Certification Authority – G5
    4eb6d578499b1ccf5f581ead56be3d9b6744a5e5
    SHA1
    C=US, S=California, L=San Jose, O=Adobe Systems Incorporated, OU=Information Systems, OU=Digital ID Class 3 – Microsoft Software Validation v2, CN=Adobe Systems Incorporated|C=US, O=”VeriSign, Inc.”, OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA|C=US, O=”VeriSign, Inc.”, OU=VeriSign Trust Network, OU=”(c) 2006 VeriSign, Inc. – For authorized use only”, CN=VeriSign Class 3 Public Primary Certification Authority – G5
    sha1RSA(RSA)|sha1RSA(RSA)|sha1RSA(RSA)
    15e5ac0a487063718e39da52301a0488|5200e5aa2556fc1a86ed96c9d44b33c7|18dad19e267de8bb4a2158cdcc6b3b4a
    fdf01dd3f37c66ac4c779d92623c77814a07fe4c|495847a93187cfb8c71f840cb7b41497ad95c64f|4eb6d578499b1ccf5f581ead56be3d9b6744a5e5
    1024|2048|2048
    Adobe Connect Add-in 9.4 r96
    Adobe Systems, Inc.

    Comment by Andrew From Vancouver — Tuesday 2 October 2012 @ 19:05

  6. @Andrew Thanks!

    Comment by Didier Stevens — Tuesday 2 October 2012 @ 19:12

  7. […] de Adobe firmadas con este certificado que tenemos en nuestro sistema (que seguro tenemos, se puede usar esta herramienta para saberlo), se encuentren comprometidas. No se sabe desde cuándo ha podido estar comprometido el certificado […]

    Pingback by ¿Qué ha pasado con el certificado de Adobe? | Sofree — Tuesday 2 October 2012 @ 19:49

  8. You seem to be able to find certificates in HTML files
    \AnalyzePESig\Release\AnalyzePESig.exe :\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.0.6000.16386_en-us_6b7048cac67fda57\settings.html
    Filename: settings.html
    MD5: 4cbbb6fbafd880016ee193d8a4959052
    Entropy: 3.24343
    Valid signature: 1
    Error code: 0 The operation completed successfully.
    From catalog file: 1
    Issuer name: Microsoft Windows Verification PCA
    Subject name: Microsoft Windows
    Timestamp countersignature: 2006/11/02 06:12:58
    Root name: DC=com, DC=microsoft, CN=Microsoft Root C
    Root thumbprint: cdd4eeae6000ac7f40c3802c171e30148030c072
    Signature hash algorithm: SHA1
    Subject name chain: C=US, S=Washington, L=Redmond, O=Microsof
    Subject name chain: C=US, S=Washington, L=Redmond, O=Microsof
    n PCA
    Subject name chain: DC=com, DC=microsoft, CN=Microsoft Root C
    Signature hash algorithm chain: sha1RSA(RSA)
    Signature hash algorithm chain: sha1RSA(RSA)
    Signature hash algorithm chain: sha1RSA(RSA)
    Serial number chain: 610b6c41000000000005
    Serial number chain: 610702dc00000000000b
    Serial number chain: 79ad16a14aa0a5ad4c7358f407132e65
    Thumbprint chain: e6c167825915cf2bbf4969d75dfe1bf08ce87290
    Thumbprint chain: 5df0d7571b0780783960c68b78571ffd7edaf021
    Thumbprint chain: cdd4eeae6000ac7f40c3802c171e30148030c072
    Keylength chain: 2048
    Keylength chain: 2048
    Keylength chain: 4096
    File description:
    Company name:

    Comment by PaulH — Friday 12 October 2012 @ 20:13

  9. @PaulH Remark that “From catalog file” is equal to 1. This means that AnalyzePESig was able to find a signature in a catalog file. In other words, the signature is not inside the HTML file, but the hash of the HTML file can be found in a catalog file.

    Comment by Didier Stevens — Friday 12 October 2012 @ 23:02

  10. […] I added several new fields to the output produce by my new tool AnalyzePESig: […]

    Pingback by Update: AnalyzePESig Version 0.0.0.2 « Didier Stevens — Tuesday 20 November 2012 @ 20:59


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.