They then call CryptDestroyGen on this RSA key. MSDN, says "The underlying public/private key pair is not destroyed by this function.".
-
-
Replying to @adriengnt
A small POC seems to confirm that some parts of the original private key are still in memory (grepped with windbg).
1 reply 0 retweets 3 likes -
Replying to @adriengnt
I still got to confirm that after a night sleep....
1 reply 0 retweets 3 likes -
Replying to @adriengnt
I confirm, p and q are still present in the heap memory after CryptDestroyKey. Gist to reproduce using windbg: https://gist.github.com/aguinet/6db17246be3f55205f44ae80c340f2fa …pic.twitter.com/FKEY69FUdd
2 replies 52 retweets 80 likes -
Replying to @adriengnt
This means than, with some (lots of?) luck, the private RSA key needed to decrypt
#wannacry could still be present in an attacked system!1 reply 13 retweets 11 likes -
Replying to @adriengnt
Bad news: CryptReleaseContext is called after the encrypted private key is saved.And this function erases the part we've seen in memory :/
2 replies 5 retweets 9 likes -
Replying to @adriengnt
Actually this does not seem to be the case with Windows XP! Key is still there after CryptReleaseContext.
1 reply 7 retweets 18 likes -
Replying to @adriengnt
Wait - let me see if I get this right: Windows XP is more secure at defending against the Wanna Cry ransomware than a newer OS?
1 reply 0 retweets 1 like -
Replying to @AT1ST @adriengnt
No, XP has a bug that allows you to retrieve the key even if you are not supposed to.
1 reply 0 retweets 4 likes -
Replying to @matya_j @adriengnt
Still more unintentionally secure because of the bug, no?
1 reply 0 retweets 0 likes
Less secure. You just happen to be better off because WannaCry is deploying security against you.
10:47 PM - 18 May 2017
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.