Didier Stevens

Wednesday 11 December 2013

MS13-098: Fixing Authenticode

Filed under: Encryption,Hacking — Didier Stevens @ 23:17

In 2009 I added a command to my Disitool to inject data “into” an Authenticode signature without invalidating it.

This year I reported on some installer programs using this padding trick.

With MS13-098, Microsoft releases a patch to prevent this signature padding trick. This change in behavior will become active June 10th 2014.

But you can already activate it now by setting reg_sz key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck to “1”.

Here is the effect illustrated with my AnalyzePESig tool:

20131211-230933

But beware of a potential issue with this regkey. Setting it to “0” will not revert to the old behavior (tested in VM with Windows XP SP3).

I had to deleted the key (actually, I renamed it) and reboot to revert to the old behavior. I informed Microsoft.

2 Comments »

  1. I also tested MS13-098 and EnableCertPaddingCheck to “1″.
    Afterthat Terminal Service didn’t start anymore unter Windows XP PRO SP3 German,

    After remove of EnableCertPaddingCheck Terminal Service works fine.

    Comment by Reto Felix — Wednesday 12 February 2014 @ 15:00

  2. There’s a new announcement on https://technet.microsoft.com/en-gb/library/security/2915720
    “V1.4 (July 29, 2014): Revised advisory to announce that Microsoft no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. It remains available as an opt-in feature. See the Advisory FAQ section for more information.”

    Comment by Anonymous — Thursday 7 August 2014 @ 23:44


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 236 other followers

%d bloggers like this: