Didier Stevens

Wednesday 15 January 2020

Using CveEventWrite From VBA (CVE-2020-0601)

Filed under: Encryption — Didier Stevens @ 19:46

Microsoft’s patch for CVE-2020-0601 introduces a call to CveEventWrite in CryptoAPI when a faked certificate is detected.

This will write a Windows event entry in the Application event log.

For all of you out there in restricted corporate environments who need to test the processing of this event log entry, I wrote some VBA code to generate this event. The generated event will mimic a CVE-2020-0601 warning to some extent (didn’t bother getting para and otherPara right).

Copy the VBA code below in an Office application that supports VBA, like Word, and run the code. Then check your Application event log.


Option Explicit

'VBA7
Declare PtrSafe Sub CveEventWrite Lib "advapi32" (ByVal CveId As String, ByVal AdditionalDetails As String)

Sub TestCveEventWrite()
    Dim strCveId As String
    Dim strAdditionalDetails As String

    strCveId = "[CVE-2020-0601] cert validation"
    strAdditionalDetails = "CA: <@DidierStevens> sha1: 7A036FBBDBF7F29A3821A8087CE177E60927A6F3 para: something otherPara: something"
    CveEventWrite StrConv(strCveId, vbUnicode), StrConv(strAdditionalDetails, vbUnicode)
End Sub

 

15 Comments »

  1. Thanks Didier, very useful! To those using them, it worked for me when putting the code in a VBA module in Word, not in the “ThisDocument” Word object that opens by default when you open the Developer menu.

    Comment by Joris — Thursday 16 January 2020 @ 9:20

  2. Are any other patches taking advantage of CveEventWrite to notify on vulnerable conditions?

    Comment by MonkeyK — Thursday 16 January 2020 @ 14:35

  3. This does not work for me in Office2019.

    I hit run and get this:

    —————————
    Microsoft Visual Basic for Applications
    —————————
    Compile error:

    Constants, fixed-length strings, arrays, user-defined types and Declare statements not allowed as Public members of object modules
    —————————
    OK Help
    —————————

    Comment by Anonymous — Friday 17 January 2020 @ 0:59

  4. Worked for me, but triggered our IDS when it saw the file cross the wire. Alert indicated the payload matches signature for a meterpreter payload.

    Comment by houston_jon — Friday 17 January 2020 @ 22:50

  5. That’s correct Joris. If you put this code in an object module (like a document object: ThisDocument, ThisWorkbook, Sheet1, …) you’ll get an error when running the code:
    “Constants, fixed-length strings, arrays, user-defined types and Declare statements not allowed as Public members of object modules”
    A workaround, like you rightly observed, is to use a “non-object” module.
    Another workaround is to make the declare statement private: Private Declare PtrSafe …

    Comment by Didier Stevens — Saturday 18 January 2020 @ 11:08

  6. This was discussed in the following Twitter threat: https://twitter.com/mkolsek/status/1217796761072361472
    Tavis mentioned fontdrvhost.exe, but that call is no longer present in the latest version.

    I quickly scanned my Windows folder, and found only crypt32.dll importing and calling CveEventWrite.

    Comment by Didier Stevens — Saturday 18 January 2020 @ 11:11

  7. Check my first reply.

    Comment by Didier Stevens — Saturday 18 January 2020 @ 11:11

  8. Which file are you referring to? The HTML file of this blog post?

    Comment by Didier Stevens — Saturday 18 January 2020 @ 11:12

  9. With regards to comment #4 – I saved the word file containing the VBA on my laptop and after getting it to run and reviewing the event viewer, I copied it to a file server. During the copy operation our IDS saw the traffic and alerted. We were able to re-create the alert by moving the file again. Didn’t know if anyone else received alerts from a security control/solution.

    Comment by Anonymous — Saturday 18 January 2020 @ 12:05

  10. Thank you for your reply. I will create a Word file and upload it to VirusTotal and see what happens. FYI: you can execute macros like this without saving them to a file. Start Word, copy the macros to a VBA module, and run the sub, all without saving the Word document. This can also bypass some macro restrictions.

    Comment by Didier Stevens — Saturday 18 January 2020 @ 12:08

  11. Replying to #10–my file didn’t trigger anything in VT; here’s snort rule causing detection: ‘alert tcp any any -> $HOME_NET any (msg:”Meterpreter Staged Payload Windows Reverse TCP download”; content:”|00|core_channel_open|00|”; content:”|00|core_channel_write|00|”; distance:0; content:”|00|core_channel_close|00|”; distance:0; content:”|00|core_negotiate_tlv_encryption|00|”; distance:0; content:”|00|core_transport_getcerthash|00|”; distance:0; classtype:shellcode-detect; sid:9902033; tag:session,5,packets; rev:11;)’

    Comment by Anonymous — Saturday 18 January 2020 @ 15:20

  12. This is very interesting. I reproduced what you did, but the strings (content) in that Snort rule do not appear in my file. Are you able to share your file? If you are and you uploaded the file to VT, I just need a hash to download it from VT. Thanks.

    Comment by Didier Stevens — Saturday 18 January 2020 @ 18:14

  13. […] Didier Stevens Using CveEventWrite From VBA (CVE-2020-0601) […]

    Pingback by Week 3 – 2020 – This Week In 4n6 — Sunday 19 January 2020 @ 8:45

  14. File doc1.docm has been uploaded to VT; 50e929880dd542b60bd78715dd6e32d8746fd71b14ddd716b706c23c6e57f2a2; i didn’t have the original, but re-created the blank .docm i used last week which tripped IDS

    Comment by houston_jon — Monday 20 January 2020 @ 23:16

  15. In case your prefer powershell over VBA and word:

    $MethodDefinition=@”
    [DllImport(“advapi32.dll”, CharSet = CharSet.Unicode)]
    public static extern long CveEventWrite(string CveId, string AdditionalDetails);
    “@

    $advapi32= Add-Type -MemberDefinition $MethodDefinition -Name ‘advapi32’ -Namespace ‘Win32’ -PassThru

    $strCveId = “[CVE-2020-0601] cert validation”
    $strAdditionalDetails = “CA: sha1: 7A036FBBDBF7F29A3821A8087CE177E60927A6F3 para: something otherPara: something”

    $advapi32::CveEventWrite($strCveId,$strAdditionalDetails)

    Comment by Micha O. (@oppimaniac) — Wednesday 22 January 2020 @ 9:31


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.