Thursday, February 19, 2015

Extracting the SuperFish certificate

I extracted the certificate from the SuperFish adware and cracked the password ("komodia") that encrypted it. I discuss how down below. The consequence is that I can intercept the encrypted communications of SuperFish's victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot. Note: this is probably trafficking in illegal access devices under the proposed revisions to the CFAA, so get it now before they change the law.

I used simple reversing to find the certificate. As reported by others, program is packed and self-encrypted (like typical adware/malware). The proper way to reverse engineer this is to run the software in a debugger (or IDApro), setting break point right after it decrypts itself. The goal is to set the right break point before it actually infects your machine -- reversers have been known to infect themselves this way.

The ghetto way is to just to run this on a machine, infecting yourself, and run "procdump" (by @markrussinovich) in order to dump the process's memory. That's what I did, by running the following command:
procdump -ma VisualDiscovery.exe super.dmp
The proper reversing is to actually tear apart the memory structures, such as using VisualStudio:

The ghetto reversing is to run strings. This is an ancient (mid-1980s) program that simply extracts human readable strings out of a binary file, discarding the rest. It's really a stupid simple program.
strings super.dmp > super.txt
At that point, I load the file super.txt into a text editor and searched for the string "PRIVATE KEY". Sure enough, it popped right up. It's actually located several times in the memory dump.

At this point, I copied/pasted the certificate into a file super.pem. I then attempted to look at it using OpenSSL. However, I was presented with a password prompt. This file has been encrypted with a password.

Okay, that's annoying, but that just means we need to crack the password. However, I can't find a password cracker on the Internet that handles SSL PEM files, so I wrote my own certificate password cracker. It's pretty bad, using the OpenSSL decrypt API in a single thread, so it's not pretty. But it's sufficient for my needs.

The encryption is actually pretty good, meaning I can only do a couple hundred guesses per second. This means that there is no chance of brute-forcing any password longer than 5 characters (brute-force means to try all possible combinations), it'd take billions of years. Instead, I want to do a dictionary attack. This is where I load a file of common words and test them one-by-one to see if they work.

I tried the small dictionary john.dict that comes with John-the-Ripper, and it didn't find anything. But of course, I don't need a real dictionary. The password is probably also in the clear in the memory dump. I could just use the file super.txt as my dictionary! I tried this, but it was taking a long time, with 150k unique lines of text. It'd take many hours to complete. To speed things up, I filtered the list for just lower-case words
grep "^[a-z]*$" super.txt | sort | uniq > super.dict
This leaves a dictionary of only 2203 words. I ran my cracking tool, and found the password in 10 seconds, "komodia".

Armed with this password, I continued where I left off with the openssl command-line tool and successfully decoded the certificate. I can now use this to Man-in-the-Middle people with Lenovo desktops (in theory, I haven't tried it yet).

Note that the password "komodia" is suggestive -- that's a company that makes an SSL "redirector" for doing exactly the sort of interception that SuperFish is doing. They market it as security software so you can spy on your kids, and stuff. A description of this component, their "SSL Digester", is here. They market it for "ad injection" here. That site teaches us a lot about what SuperFish can do.

(BTW, thanks to @chigley101 for linking a download of the software. Also note that @supersat and @paul_pearce found the password before I did, though as far as I know they haven't published it. Note that it's Chris Palmer (@fugueish) that first noticed the implications of these certificates).


E-S said...

I strongly suspect Komodia's Redirector shares the exact same certificate.

Yes, I have very little faith left in mankind, why ask ?

Unknown said...

That regexp looks like a good way to make your dictionnary very small. Very very small.

Robert Graham said...

Oops, Nicolas, I forget the splat :) Fixing now...

Anonymous said...

Nice job, dude!

Anonymous said...

Nice hack. Perhaps don't say 'ghetto' so much.

Unknown said...

"The password is probably also in the clear in the memory dump."

Why/how would the password be in the memory dump?

Unknown said...

@Matthew Aho - to some extent it depends on how lazy the authors were. even just base64 encoding of the password would have hidden it from strings!

The userify enterprise binary has an easter egg visible only from strings :)

Privacy and Security Defender said...

Nice work! Congrats! -:)'

Unknown said...
This comment has been removed by the author.
Sami said...

The password needs to be available to the software in order for it to sign certificates with the private key. It could be somewhat obfuscated, but there's really nothing the authors could do to prevent someone with moderate reverse engineering skills from learning it fairly quickly.

Sami said...

The password needs to be available to the software in order for it to sign certificates with the private key. It could be somewhat obfuscated, but there's really nothing the authors could do to prevent someone with moderate reverse engineering skills from learning it fairly quickly.

Shish said...

> [strings] is really a stupid simple program.

LeoNerd said...

Sooo.... the passphrase was all lower-case, the name of the company that made it.

It wasn't some random long string of characters. It wasn't the name of the CEO's first pet dog. It wasn't even "Komodia123".

Let that sink in a moment. The creators of this system were so amazingly incompetent, I'm honestly surprised it works at all.

MrTidy OTR said...

Liked your post - particularly that you shared your approach / thought processes. Thank you.

My blogs said...

How come the password was in the file though ?
It's a bad practice that lead you to find it, am I right ?

J Snell said...

Is this detectable on the server end by looking at the signature of the client certificate? It would be great for websites to block or warn people running this software.

Pranshu Bajpai said...

Good job! I do not understand why the password was stored in cleartext in memory. I mean if they went through the trouble of hiding a malware deep within the hardware, why did they store the password in plaintext in memory?

Unknown said...
This comment has been removed by the author.
Jonas Finnemann Jensen said...

I have to ask, but couldn't they generate the SSL certificate upon install. Such that each install of the program has a unique certificate.

Then the cert would be useless for man in the middle attacks.

Unknown said...

That's what Avast does when it does man-in-the-middle attacks on SSL. I don't like that happening either, but at least its not as awful as this crapware!

Eddie said...

Anyone up for decoding the cert used by GoGo Inflight WiFi Service?

Daniel said...

"The consequence is that I can intercept the encrypted communications of SuperFish's victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot."

How? By just passively reading and decrypting or by providing a MITM proxy that uses that certificate yourself?

The first case would mean that the connections between the infected laptops and "the internet" already use that key, i.e. the superfish https MITM proxy is somewhere in the internet. Why would they even need the private key in the software then?

If their MITM proxy runs on the infected machines then the connections to the actual websites should use the real certificates - and you'd have to run your own MITM proxy, so just passive snooping wouldn't be enough.
(Not that running such a proxy is very hard...)

Just wondering, I haven't read much about the technical details of superfish yet :-)

Unknown said...

I've posted a PowerShell script to detect and remove this certificate over on Reddit.

ninjalj said...

If they "hide" the password on the binary in plain text, they should at least use something like "m cannot be run in D" as password, as half-jokingly suggested at At least the reverser will have some good laughs.

Canepazzo said...

What about searching for prime factors traversing the memory dump? Probably there's binary unencrypted RSA private key somewhere into RAM

Unknown said...

If you are a web site owner, this can impact you as well. A few of our customers were having problems but we found a simple fix:

David Klein said...

not that it matters, but there is already a shitty pkcs8 wordlister out there: i used this with your wordlist and it wordlisted the password in <4 seconds on debian 1GB ram VM.

jwatte_food said...

Because everybody works under time pressure with teams that have knowledge gaps.

jwatte_food said...

Because everybody works under time pressure with teams that have knowledge gaps.

Daniel said...

@Peter Pezaris:
Sorry, but just working around the problem with a tag was (and is) irresponsible.

It basically makes it harder for someone to notice that his PC is infected.

Glip should have made the problem public back then.
Ideally they would have tried to detect if the superfish JS was injected and warn affected users that they seem to be "infected" with "superfish" and should get rid of it.

I don't know 100% if that's possible from the JS-side, though (I'm not a web developer), but has found a way to test it by trying to load an image from a https server that uses a certificate signed by the SuperFish certificate.

So now that a way to detect superfish is known, one *really* shouldn't try to work around it (so your costumers think they have a working machine), but either try to detect superfish and display a warning, or at least do nothing so that the user hopefully notices that something is wrong and that he may have a malware problem.

By the way, this tag will *not* make superfish go away or anything, the traffic still is intercepted by them, the only difference is that their javascript (to show their ads) is not executed anymore.

Matt said...

Is it not that Komodia is a MIM tool which executes in memory of a workstation, between the network interface and the browser? So the traffic between the workstations NIC and the web server is still encrypted with the domain SSL certificate. Then Komodia acts like a browser, using the public key to decrypt the content for instpection. To fool the browser, it re-encrypts the content again with it's own certificate so the browser won't show a warning to the user.

I believe that it will not be possible to snoop https traffic in an internet cafe just because you have the komodia certificate. You'd have to be breaking into the computer and hook in between komodia and the browser.

Mark said...

Doesn't this violate the DMCA terms of attempting to thwart someone's encryption scheme? I'm not talking about the Extracting the key, I'm talking about the MITM attack.

Seems like the company that sells such SW should be in violation and subject to prosecution.

Lenovo would at least be on the hook as an accessory in that case.

Ritesh Gupta said...

Lenovo just bought MOTOROLA company, They are in a plan to spy whole users including mobile phone users.Lenovo Chinese Company want to spy Every American.Sad but Truth :(

Unknown said...

@Matt: Even if that were true, it would still be a very bad thing. Lenovo / Superfish / Komodia would be installing software with the capability to read every bit of encrypted web traffic from a customer's computer (credentials, banking information, etc.) They have no business doing that, for ANY reason. Any vendor who feels they can or should do this, can fuck off.

However, this situation is worse. Not only were they malicious, they were incompetent. By installing the same root certificate and key pair (easily stolen) on every computer, now anyone who wants to put in about 60 seconds of effort can forge a trusted SSL certificate for any website on the planet. They can execute MITM attacks against these vulnerable computers and steal all of the same information, without needing to run any malicious code on the vulnerable PC itself. (Lenovo, Superfish and Komodia have taken care of installing the malicious code already; thanks!) These MITM attacks would be tricky to detect; there could be nothing alarming about the site at first glance, unless you went out of your way to examine the SSL certificate and saw that it was issued by Superfish, Inc instead of some trusted, established CA.

Unknown said...
This comment has been removed by the author.
Unknown said...

> I have to ask, but couldn't they generate the SSL certificate upon install.

They cant. Windows does not allow software to add certificates to the Windows certificate store without prompting the user. The operation occurs in isolated code, isolated in the same way that passwords prompts are isolated.

The only way they can get the extra certificate into the certificate store without prompting a user is to pre-install it on the factory image.

Anonymous said...

The problem is manyfold:
- The SuperFish Proxy *doesn't* do SSL validation for the endpoint certs (the ones from the site). Someone infected with SuperFish can be tricked into entering a site using a selfsigned cert and the user wouldn't even know about this.
- If you removed/disabled the SuperFish proxy, you still have the SuperFish CA in your trusted certstore. Someone can pose as Google, Bank of America, whatever.
Any of these things can easily happen if you are using public wifi hotspots, as it is common for some to set up "free hotspots" that actually do MITM attacks if they can.

Melcor said...

I missed something ? If the private key was used to sign the traffic in MitM software, why it has to be bruteforced ?

Juelur rahman said...

Video Guy said...

Good article. One that provides technical details instead of lot of Superfish articles out there with scary messages.

If I understand correctly, Lenovo is installing a https proxy to intercept traffic (vs common proxies you find in enterprises that use http CONNECT verb to proxy https traffic). The proxy is creating self signed certs for every https site the browser is visiting, but signed by the root CA inside the proxy. The browser’s root cert store is updated with proxy’s root CA chain. But the proxy still communicates to destination over https doing usual https validations (like checking for self-signed certs vs Verisign signed ones etc).

I don’t think someone out there in the wild can decrypt data even if they have root CA private key as the proxy to destination site is https session which is protected by destination site’s private/public key pair. I saw articles claiming that they could decrypt https traffic if they are at a Cafe by having the root CA. But how?
The https traffic that gets affected by this proxy is the one from browser to localhost:proxy port. It beats me how someone outside the box can sniff that traffic.

Am I missing something here?

But someone out there can create a site that looks like say site with self signed cert signed by above root CA and start a phishing attack. If a customer with the Superfish software press that link and go to that site, the browser won’t warn that it is a phishing site.

This is far fetched and the impact is lot less than what most of the Superfish articles are portraying. Neverthless it is a bad business decision by Lenovo to install something like this at factory. I bet they will have a challenge selling into enterprises with the -ve press that this caused.

Tom Arkwright said...

A super article.

Two references in the article, labeled, [i]here[/i] are not available now possibly due to a DDOS attack happening as I write.

No prob!. The Products tab at this archived Komodia page [i][/i] takes you to the first reference, for [b]SSL Digestor[b/] (note this is the "correct" spelling in that it matches the web site, although it is only correctly [English usage].

The description of the [b]Ad Injector[/b] is also reachable from this tab. The Ad Injector product is interesting to me as it gives the mechanism for Javascript injection that can co-exist with global proxy injection.

For example, There is a call to the .exe with install flags, and it can intercept a browser, then inspect it using the DLL or COM framework and decide to inject Javascript or a HTML component.

Glory said...

Unknown said...

Today we are introducing Independent Test And Tag, a new simplified interface and additional support for Test And Tag templates.
If you are already using Google Tag Manager you can try the new features by upgrading your account.

Test and Tag

lisa said...

Unknown said...

Unknown said...

David Wong said...

They could have used a RSA whitebox to sign those fake certificates. It would have been way harder to reverse it.

Unknown said...

Unknown said...

Unknown said...

flavie said...

Unknown said...

Unknown said...

Unknown said...

Unknown said...

Unknown said...


Unknown said...


Anonymous said...

walden kayla said...

Unknown said...

Unknown said...

Unknown said...

Unknown said...

walden kayla said...

Anonymous said...

Anonymous said...

grace said...
Jaccy lamber said...
felisha green said...
