CVE-2013-3900
MEDIUM KEV RANSOMWAREWindows - Remote Code Execution via Authenticode Signature Verification Bypass
Title source: llmExploitation Summary
CVE-2013-3900 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 10, 2022, with confirmed use in ransomware campaigns. EIP tracks 16 public exploits from researchers including norvethil, PREN0MEN, CyberCondor.
AI-analyzed exploit summary This PowerShell script demonstrates CVE-2013-3900 by injecting padding into the certificate section of a signed PE file (e.g., MSBuild.exe) to bypass Authenticode signature validation. It modifies the file, checks the signature status, and verifies the impact using WinVerifyTrust API calls.
Description
Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, except for clarifications about how to configure the EnableCertPaddingCheck registry value, the information herein remains unchanged from the original text published on December 10, 2013, Microsoft does not plan to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. This behavior remains available as an opt-in feature via reg key setting, and is available on supported editions of Windows released since December 10, 2013. This includes all currently supported versions of Windows 10 and Windows 11. The supporting code for this reg key was incorporated at the time of release for Windows 10 and Windows 11, so no security update is required; however, the reg key must be set. See the Security Updates table for the list of affected software. Vulnerability Description A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of this vulnerability requires that a user or application run or install a specially crafted, signed PE file. An attacker could modify an... See more at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
Exploits (16)
This PowerShell script demonstrates CVE-2013-3900 by injecting padding into the certificate section of a signed PE file (e.g., MSBuild.exe) to bypass Authenticode signature validation. It modifies the file, checks the signature status, and verifies the impact using WinVerifyTrust API calls.
This PowerShell script demonstrates CVE-2013-3900 by injecting padding into the certificate section of a signed PE file, bypassing Authenticode validation on systems without the EnableCertPaddingCheck registry setting.
This PowerShell script mitigates CVE-2013-3900 by enabling the EnableCertPaddingCheck registry key to enforce stricter Authenticode signature validation. It ensures the registry keys are set in both 64-bit and Wow6432Node paths to prevent exploitation of the WinVerifyTrust vulnerability.
This repository contains a PowerShell script to mitigate CVE-2013-3900 by enforcing the WinVerifyTrust certificate padding check via registry settings. It is designed to address a Tenable/Nessus finding and includes verification logic.
This repository documents the remediation process for CVE-2013-3900, a WinVerifyTrust signature validation flaw, using PowerShell to apply a registry-based fix. It includes detection, remediation, and verification steps but does not contain exploit code.
This PowerShell script remediates CVE-2013-3900 by enabling or disabling the Authenticode signature verification fix via registry modifications. It targets both 32-bit and 64-bit systems and requires a reboot to apply changes.
This repository provides a mitigation script for CVE-2013-3900, a vulnerability in Microsoft's WinVerifyTrust function that allows Authenticode signature bypass. The script enables stricter signature validation via registry modifications.
This PowerShell script checks for the presence and correct configuration of registry entries required to mitigate CVE-2013-3900, a WinVerifyTrust Signature Validation Vulnerability. It does not exploit the vulnerability but verifies if the system is properly patched.
This repository contains a remediation report for CVE-2013-3900, detailing steps to mitigate the WinVerifyTrust vulnerability on Windows Server 2019. It includes registry modifications and verification steps but does not contain exploit code.
This repository provides a detailed remediation guide for CVE-2013-3900, a WinVerifyTrust signature validation vulnerability, including registry-level fixes and validation steps. It does not contain exploit code but documents the mitigation process.
This PowerShell script remediates CVE-2013-3900 by enabling the EnableCertPaddingCheck registry key to prevent certificate validation bypass. It updates both 32-bit and 64-bit registry paths and restarts the system to apply changes.
This PoC enables the Windows certificate padding check via registry modifications to mitigate CVE-2013-3900, a vulnerability in WinVerifyTrust that allows improper certificate validation. The script updates registry keys to enforce stricter certificate padding checks.
This PowerShell script is a remediation guide for CVE-2013-3900, which addresses a vulnerability in Windows certificate padding checks. It creates registry keys to enable certificate padding checks and configures logging for CAPI2 events.
This repository contains a functional exploit for CVE-2013-3900, which involves manipulating PE file signatures to bypass authentication checks. The code includes tools for decrypting and injecting shellcode into a target process, demonstrating a local privilege escalation (LPE) attack.
References (4)
Scores
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N