Didier Stevens

Wednesday 15 January 2020

Using CveEventWrite From VBA (CVE-2020-0601)

Filed under: Encryption — Didier Stevens @ 19:46

Microsoft’s patch for CVE-2020-0601 introduces a call to CveEventWrite in CryptoAPI when a faked certificate is detected.

This will write a Windows event entry in the Application event log.

For all of you out there in restricted corporate environments who need to test the processing of this event log entry, I wrote some VBA code to generate this event. The generated event will mimic a CVE-2020-0601 warning to some extent (didn’t bother getting para and otherPara right).

Copy the VBA code below in an Office application that supports VBA, like Word, and run the code. Then check your Application event log.


Option Explicit

'VBA7
Declare PtrSafe Sub CveEventWrite Lib "advapi32" (ByVal CveId As String, ByVal AdditionalDetails As String)

Sub TestCveEventWrite()
    Dim strCveId As String
    Dim strAdditionalDetails As String

    strCveId = "[CVE-2020-0601] cert validation"
    strAdditionalDetails = "CA: <@DidierStevens> sha1: 7A036FBBDBF7F29A3821A8087CE177E60927A6F3 para: something otherPara: something"
    CveEventWrite StrConv(strCveId, vbUnicode), StrConv(strAdditionalDetails, vbUnicode)
End Sub

 

Blog at WordPress.com.