BENIGNCERTAIN — Remote Extraction of RSA Private Keys
TL;DR: The so-called BENIGNCERTAIN exploit dropped by the Shadow Brokers extracts RSA private keys from a captured memory dump using a technique similar to the one I described in a paper in 2006.
BENIGNCERTAIN is a "[..] remote exploit for Cisco PIX devices that sends an Internet Key Exchange (IKE) packet to the victim machine, causing it to dump some of its memory. The memory dump can then be parsed to extract an RSA private key and other sensitive configuration information" (from Mustafa Al-Bassam's writeup).
To extract RSA private keys from a captured memory dump, the exploit uses a technique similar to the one I described in a paper entitled "All Your Private Keys are Belong to Us — Extracting RSA Private Keys and Certificates from Process Memory" (2006).
A brief summary of the technique: The standard storage formats for RSA private keys and SSL certificates, as described in PKCS #8 and x509 respectively, are used to create a signature for locating them in memory. Using this signature, a simple pattern match could be done to extract the candidate asymmetric keys in their plaintext form, which could then be verified using an external tool such as OpenSSL.
The following tweet contains different screenshots of the disassembly of the BENIGNCERTAIN exploit, showing the relevant code snippets:(!!!) BENIGNCERTAIN looks like it is based on a *2006* technique from @tobiklein to extract keys from proc memory https://t.co/bBByaj05jr— Matt Suiche (@msuiche) 20. August 2016
For a more detailed description of the BENIGNCERTAIN exploit refer to:Extractor of pub&priv DER keys (bc-parser)— Matt Suiche (@msuiche) 18. August 2016
sign1 0x3000010
sign2 "\x0D\0x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" pic.twitter.com/qd7mBCcFZT
Key takeaways:Here's a quick writeup. BENIGNCERTAIN: remote exploit to extract Cisco VPN private keys. Will update as info comes. https://t.co/cObvedgf1l— Mustafa Al-Bassam (@musalbas) 18. August 2016
- The Shadow Brokers leak illustrates that the proposed technique to extract RSA private keys from memory dumps is easy to use, very effective in the wild and extensively field-tested by the Equation Group (widely believed to be operated by the NSA).
- Specialized hardware, like a hardware security module (HSM) or a smartcard, can safeguard your cryptographic keys from such an attack.