Skip to main content
banner image
venafi logo

Researcher Releases POC for Transferring Files over X.509 Extensions Covert Channel

Researcher Releases POC for Transferring Files over X.509 Extensions Covert Channel

x.509 compromise
February 6, 2018 | David Bisson

A researcher has published a proof-of-concept (POC) framework demonstrating the use of X.509 extensions for covert channel data transfer.

On 5 February, Fidelis researcher Jason Reaves posted his framework on GitHub. The framework builds upon research released by Reaves in January 2018 on using X.509 extensions for transmitting and receiving arbitrary data.

X.509 certificates are a type of public key certificate that uses the X.509 standard. They contain a public key and the identity of a hostname, organization, or individual. Some of these certificates are self-signed. When a certificate authority (CA) signs them or another entity validates them, the owner of that certificate can leverage the public key to establish secure connections with another party or validate documents someone digitally signed using the corresponding private key.

As security expert Pierluigi Paganini notes, X.509 v3 certificates come with an extension field that allow the addition of fields containing information like alternative subject names and usage restrictions. That's not all the certificate extensions might contain, however. Reaves discovered (PDF) it's possible to abuse these fields, particularly the SubjectKeyIdentifier extension, for data infiltration and exfiltration on the server side and client side, respectively.

You can watch him present on this issue at BSides Springfield 2017 in this video.

The researcher confirms his findings in a blog post released on the same day as his proof-of-concept framework:

In brief, TLS X.509 certificates have many fields where strings can be stored…. The fields include version, serial number, Issuer Name, validity period and so on. The certificate abuse described in our research takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself.

The POC specifically demonstrates the transferal of Metasploit post-exploitation tool Mimikatz over an X.509 extension over the TLS negotiation traffic. Such a transferal is hard to spot. In fact, Reaves told The Register that "[y]ou [would] have to parse out all the data inside X.509, and there's a lot."

Related blogs

Like this blog? We think you will love this.
Featured Blog

Lloyd's Backs Off Insurance for State-Sponsored Cyberattacks

Cyber related businesses are ‘e

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more