A researcher has published a proof-of-concept (POC) framework demonstrating the use of X.509 extensions for covert channel data transfer.
On 5 February, Fidelis researcher Jason Reaves posted his framework on GitHub. The framework builds upon research released by Reaves in January 2018 on using X.509 extensions for transmitting and receiving arbitrary data.
X.509 certificates are a type of public key certificate that uses the X.509 standard. They contain a public key and the identity of a hostname, organization, or individual. Some of these certificates are self-signed. When a certificate authority (CA) signs them or another entity validates them, the owner of that certificate can leverage the public key to establish secure connections with another party or validate documents someone digitally signed using the corresponding private key.
As security expert Pierluigi Paganini notes, X.509 v3 certificates come with an extension field that allow the addition of fields containing information like alternative subject names and usage restrictions. That's not all the certificate extensions might contain, however. Reaves discovered (PDF) it's possible to abuse these fields, particularly the SubjectKeyIdentifier extension, for data infiltration and exfiltration on the server side and client side, respectively.
You can watch him present on this issue at BSides Springfield 2017 in this video.
The researcher confirms his findings in a blog post released on the same day as his proof-of-concept framework:
In brief, TLS X.509 certificates have many fields where strings can be stored…. The fields include version, serial number, Issuer Name, validity period and so on. The certificate abuse described in our research takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself.
The POC specifically demonstrates the transferal of Metasploit post-exploitation tool Mimikatz over an X.509 extension over the TLS negotiation traffic. Such a transferal is hard to spot. In fact, Reaves told The Register that "[y]ou [would] have to parse out all the data inside X.509, and there's a lot."