Microsoft Fixes Windows Certificate Spoofing Bug Abusing CAT Files

Microsoft’s October 2020 Patch Tuesday fixed 87 security bugs, one of which is an “Important” Windows Spoofing Vulnerability that abuses CAT files.

The vulnerability enables attackers to create “polyglot malware,” which merges different file types, to spoof digital signatures.

What are signature spoofing vulnerabilities?

To guarantee that an executable is legitimate and unaltered, software manufacturers add digital signatures to their releases before shipping them — a process also known as code signing.

Signature spoofing flaws enable attackers to pass inauthentic, and possibly malicious, executables off as if these were signed by a legitimate corporation.

An example would be CVE-2020-1464, a spoofing vulnerability that was actively exploited for two years before being patched by Microsoft during the August 2020 updates.

Also Read: What is Pentest Report? Here’s A Walk-through

The flaw allows an attacker to combine a legitimately signed Microsoft Windows Installer (.MSI) package with the attacker’s (malicious) JAR file into an encapsulating JAR file.

The entire resulting archive, containing both files (the MSI and attacker’s JAR), would appear to have the MSI package’s signature, even when this wouldn’t be the case.

When parsing the resulting JAR, the flaw was possible because the signature validation utility would read the MSI file from the beginning of the archive up until the digital signature and discard the content present after the end of the signature.

Whereas the Java Virtual Machine (JVM) loading the JAR would read the combined archive from the end of the file, therefore reading the nested JAR first and then the MSI.

This enabled attackers to ship a working Java executable (JAR), which could run their malicious code with the seal of a legitimate corporation that had signed the MSI.

What is different about CVE-2020-16922? 

In a security advisory for the CVE-2020-16922 vulnerability patched yesterday, Microsoft does not provide much information other than another spoofing vulnerability was fixed.

“A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files,” Microsoft’s CVE-2020-16922 advisory states.

In a private Microsoft enterprise security advisory shared with BleepingComputer, Microsoft explains that yesterday’s update extends August’s CVE-2020-1464 to include Microsoft catalog (CAT) files, which can also be signed with a digital signature.

“This vulnerability lets specially crafted malicious files appear as validly signed if prepended with content from signed installer files (MSI) and catalog files (CAT).”

Also Read: How a Smart Contract Audit Works and Why it is Important

“By exploiting this vulnerability, a specially crafted malicious file can appropriate trust that has been originally given to a signed file, allowing the malicious file to bypass various security checks, including code signing validation.” reads the non-public advisory for Microsoft enterprise customers.

In other words, an attacker could combine a signed CAT file and a malicious file in a manner that gives off the impression that their malicious file is also signed by the entity that had signed the CAT file.

“Malware authors have exploited this vulnerability by crafting polyglot malware, combining multiple file types to produce a new merged type. More specifically, they have used validly signed MSI or CAT files from Microsoft and other software publishers, combining them with malicious Java archives (JAR) and files to take full advantage of the way JAR files are read,” the advisory further continued.

Detection and Mitigation

When using Microsoft Defender antivirus with up to date definitions, the detection of one or more of the following signatures indicates a signature spoofing exploit may have been used:

1. Behavior:Win32/Maljar.B—Detects behavior associated with the Ratty Java RAT used in attacks that exploit this vulnerability
2. Trojan:Java/Rajimsi (variants A to E)—Detects Java malware that incorporates content from signed MSI files to spoof legitimate signatures
3. Trojan:Win32/Maljarcat.A—Detects Java malware that incorporates content from signed CAT files to spoof legitimate signatures
4. Trojan:Java/Rajimsi.gen!A​
5. Trojan:Java/Rajimsi.gen!B

Microsoft advises users to apply the October 2020 updates that contain fixes for both the CVE-2020-1464 and CVE-2020-16922 vulnerabilities.

Additionally, the company’s cloud-based solution offers extended capabilities that use AI and ML to detect such advanced threats.

“Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.”