Thursday, September 01, 2016

BENIGNCERTAIN — Remote Extraction of RSA Private Keys

TL;DR: The so-called BENIGNCERTAIN exploit dropped by the Shadow Brokers extracts RSA private keys from a captured memory dump using a technique similar to the one I described in a paper in 2006.

BENIGNCERTAIN is a "[..] remote exploit for Cisco PIX devices that sends an Internet Key Exchange (IKE) packet to the victim machine, causing it to dump some of its memory. The memory dump can then be parsed to extract an RSA private key and other sensitive configuration information" (from Mustafa Al-Bassam's writeup).

To extract RSA private keys from a captured memory dump, the exploit uses a technique similar to the one I described in a paper entitled "All Your Private Keys are Belong to Us — Extracting RSA Private Keys and Certificates from Process Memory" (2006).

A brief summary of the technique: The standard storage formats for RSA private keys and SSL certificates, as described in PKCS #8 and x509 respectively, are used to create a signature for locating them in memory. Using this signature, a simple pattern match could be done to extract the candidate asymmetric keys in their plaintext form, which could then be verified using an external tool such as OpenSSL.

The following tweet contains different screenshots of the disassembly of the BENIGNCERTAIN exploit, showing the relevant code snippets:
For a more detailed description of the BENIGNCERTAIN exploit refer to:
Key takeaways:
  • The Shadow Brokers leak illustrates that the proposed technique to extract RSA private keys from memory dumps is easy to use, very effective in the wild and extensively field-tested by the Equation Group (widely believed to be operated by the NSA).
  • Specialized hardware, like a hardware security module (HSM) or a smartcard, can safeguard your cryptographic keys from such an attack.