This time it's just hanging around in memory, no need to do anything about the anti-debug.
$ openssl x509 -noout -modulus -in 300288180.crt|md5sum f423a009387fb7a306673b517ed4f163 - $ openssl rsa -noout -modulus -in alibaba-localhost.key.pem|md5sum f423a009387fb7a306673b517ed4f163 - You can verify that I've signed lorem ipsum with the following: $ wget https://crt.sh/?d=300288180 -O 300288180.crt $ wget https://rack.ms/b/UsNQv74sfH40/msg.txt{,.sig-sha256.b64} $ openssl dgst -sha256 -verify <(openssl x509 -in 300288180.crt -pubkey -noout) -signature <(base64 -d msg.txt.sig-sha256.b64) msg.txt As the domain name suggests, this is part of the AlibabaProtect/"Alibaba PC Safe Service" that comes bundled with the Youku client. Mark Mark On Tue, Dec 11, 2018 at 5:37 AM Xiaoyin Liu via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > Hello, > > I think I found a SSL certificate misuse issue, but I am not sure if this is > indeed a misuse, so I want to ask about it on this list. > > Here is the issue: After I installed Youku Windows client > (https://pd.youku.com/pc, installer: > https://pcclient.download.youku.com/youkuclient/youkuclient_setup_7.6.7.11220.exe), > it starts a local HTTPS server, listening on localhost:6691. Output of > “openssl s_client -connect 127.0.0.1:6691” indicates that this local server > uses a valid SSL certificate, issued to "Alibaba (China) Technology Co., > Ltd.” CN=*.alipcsec.com, and issued by GlobalSign. It’s a publicly trusted OV > cert, and is valid until Jan 13, 2019. Later, I found that local.alipcsec.com > resolves to 127.0.0.1, and https://local.alipcsec.com:6691/ is used for > inter-process communication. > > It’s clear that the private key for *.alipcsec.com is embedded in the > executable, but all the executables that may embed the private key are packed > by VMProtect, and the process has anti-debugging protection. I tried plenty > of methods to extract the private key, but didn’t succeed. I reported this to > Alibaba SRC anyway. They replied that they ignore this issue unless I can > successfully extract the key. > > So is this a certificate misuse issue, even if the private key is obfuscated? > If so, do I have to extract the private key first before the CA can revoke > the cert? > > Thank you! > > Best, > Xiaoyin Liu > > Here is the certificate: > -----BEGIN CERTIFICATE----- > MIIHTjCCBjagAwIBAgIMCpI/GtuuSFspBu4EMA0GCSqGSIb3DQEBCwUAMGYxCzAJ > BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH > bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g > RzIwHhcNMTgwMTEyMDgxMTA1WhcNMTkwMTEzMDgxMTA1WjB7MQswCQYDVQQGEwJD > TjERMA8GA1UECBMIWmhlSmlhbmcxETAPBgNVBAcTCEhhbmdaaG91MS0wKwYDVQQK > EyRBbGliYWJhIChDaGluYSkgVGVjaG5vbG9neSBDby4sIEx0ZC4xFzAVBgNVBAMM > DiouYWxpcGNzZWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA > 9PJcPzpUNRJeA8+YF8cRZEn75q+fSsWWkm6JfIlOKorYXwYJB80de4+Bia3AgzfO > wqwWfPGrRYh5OY4ujjsKF5XkWG22SLlzi5xB9zAeVKHYTo2U6aKrKnht9XyYvnZX > ocIuaSxkqq4rQ9UwiEYB6lvy8RY1orYu33HtrGD5W3w9SWf2AwB0rCNp0BeSRaGB > JEEXzgVECbL+deJZgZflae1gQ9q4PftDHuGXLNe8PLYq2D4+oKbYvbYtI9WKIMuh > 1dL70QBbcW0y4jFr2/337H8/KhBaCb3ZBZQI4LUnYL8RVeAVJFpX/PuiHMh9uNTm > oW1if7XQswJCWx3td5tWiwIDAQABo4ID5TCCA+EwDgYDVR0PAQH/BAQDAgWgMIGg > BggrBgEFBQcBAQSBkzCBkDBNBggrBgEFBQcwAoZBaHR0cDovL3NlY3VyZS5nbG9i > YWxzaWduLmNvbS9jYWNlcnQvZ3Nvcmdhbml6YXRpb252YWxzaGEyZzJyMS5jcnQw > PwYIKwYBBQUHMAGGM2h0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc29yZ2Fu > aXphdGlvbnZhbHNoYTJnMjBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsG > AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAI > BgZngQwBAgIwCQYDVR0TBAIwADBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3Js > Lmdsb2JhbHNpZ24uY29tL2dzL2dzb3JnYW5pemF0aW9udmFsc2hhMmcyLmNybDAn > BgNVHREEIDAegg4qLmFsaXBjc2VjLmNvbYIMYWxpcGNzZWMuY29tMB0GA1UdJQQW > MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUoIFBQJomlUEiLibD+luC > PKGhbykwHwYDVR0jBBgwFoAUlt5h8b0cFilTHMDMfTuDAEDmGnwwggH0BgorBgEE > AdZ5AgQCBIIB5ASCAeAB3gB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM22 > 7L7MAAABYOlsKGEAAAQDAEcwRQIhANem+QHeaxpf7wmjtQe6rdbf5o/JKiM6aVgy > 0gnJk/UTAiBNZ0newmCtHi/f1uzmmzWNeVIl4apUko2yChwTUJObMAB1AKS5CZC0 > GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYOlsJ/wAAAQDAEYwRAIgUAxl > oaOwXSSPUdDmix7rwcaD2/QAiQcj0Iij14ZB5dMCIG0hAMD7iukwI28DIgy+StxR > 2B1LB1PLyMGa1ByTxyx6AHUAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ > 0N0AAAFg6WwodQAABAMARjBEAiB5dRrIvSx5euaya6RItzL6bbRt4QtLj3XbrU5d > hpLOqgIgTTN315YeiNg+dYmtCCCU1OG56IhScJsP0Kac+JmrI98AdgDuS723dc5g > uuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWDpbCrrAAAEAwBHMEUCIAvmesN/ > F1V57QuX69pubfx7pW2tCJRHREznZOZbEniVAiEA37SmlQQYZhAUFJ02dE5SfNlE > uDVMtvvBM4qrhWm+SvkwDQYJKoZIhvcNAQELBQADggEBAIEPnMZ0HBnwXJNoEDEz > K0afVI5xtNgONjV5QViIgGWaqG+sKjLHjxU040gXPi7ycSKlgbEOF4WE5jvLLFBS > 890txX4kpLJhcsCHyomwCrTe6V83f20zBa50svQau2L0pnOeeFbAsDAM4PsvaABp > ziT6keCFUGyfrZCsjJWroT4gco74H+Ra8zLf4MTx9yJ65ERZabJZxD4n6V7tWc6U > Ey2Tyjx9STCJXnNoogre+gh149nQJR4waUwxEicQDMpGOmEpFMoBAULPrPXksaGI > T5xbQd74wqC01awRP20+QxHIcQHrEDQUM9GfqJgo8Z4cjNss4PNxTu3jupgS16mA > K0o= > -----END CERTIFICATE----- > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy