From 051829cf5bd00471ca313eda1ecf9dcafc6944a6 Mon Sep 17 00:00:00 2001
From: metthal <milkovic.marek@gmail.com>
Date: Sun, 5 May 2024 15:59:40 +0200
Subject: [PATCH] fix: Verification of MS countersignatures now takes into
 account signer info digest and verifies it against digest of content info
 (timestamp info)

The signature of the signed attributes was verified, the digest of
countersigned signature was verified but what was missing is the
verification that the signed attributes are actually signing the
embedded timestamp information. This would allow anyone to take a valid
countersignature, replace content info of the signed data with their own
timestamp info, recalculate hash against the countersigned signature and
it would be verified as OK.
---
 lib/src/modules/pe/authenticode.rs                  | 13 +++++++++++++
 ...7cbe205471fc8ee34c3d9996f77baa3c3ab47a3b3068.out |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/lib/src/modules/pe/authenticode.rs b/lib/src/modules/pe/authenticode.rs
index d4474e35f..e2ff9f02d 100644
--- a/lib/src/modules/pe/authenticode.rs
+++ b/lib/src/modules/pe/authenticode.rs
@@ -345,13 +345,26 @@ impl AuthenticodeParser {
             countersignature.digest_alg = oid_to_str(tst.hash_algorithm.oid());
             countersignature.digest = tst.hashed_message;
 
+            let cs_si_digest = match cs_si
+                .get_signed_attr(&rfc5911::ID_MESSAGE_DIGEST)
+                .map(|value| value.data.as_bytes())
+            {
+                Some(md) => md,
+                None => return Err(ParseError::MissingAuthenticodeDigest),
+            };
+
             countersignature.verified =
                 verify_message_digest(
                     &tst.hash_algorithm,
                     si.signature,
                     tst.hashed_message,
+                ) && verify_message_digest(
+                    &cs_si.digest_algorithm,
+                    sd.content_info.content.as_bytes(),
+                    cs_si_digest,
                 ) && verify_signer_info(cs_si, certificates.as_slice());
 
+
             countersignatures.push(countersignature);
         }
 
diff --git a/lib/src/modules/pe/tests/testdata/130f9b2e65bfceae8d9e7cbe205471fc8ee34c3d9996f77baa3c3ab47a3b3068.out b/lib/src/modules/pe/tests/testdata/130f9b2e65bfceae8d9e7cbe205471fc8ee34c3d9996f77baa3c3ab47a3b3068.out
index 1378a711a..5c83a1f35 100644
--- a/lib/src/modules/pe/tests/testdata/130f9b2e65bfceae8d9e7cbe205471fc8ee34c3d9996f77baa3c3ab47a3b3068.out
+++ b/lib/src/modules/pe/tests/testdata/130f9b2e65bfceae8d9e7cbe205471fc8ee34c3d9996f77baa3c3ab47a3b3068.out
@@ -689,7 +689,7 @@ signatures:
         not_before: 1513987200 # 2017-12-23 00:00:00 UTC
         not_after: 1868918399 # 2029-03-22 23:59:59 UTC
     countersignatures:
-      - verified: true
+      - verified: false
         sign_time: 1634237249 # 2021-10-14 18:47:29 UTC
         digest: "a6d56d546fb347a798239820467f4871bdd4c2f331548f4fdf5ab961a46c5c45"
         digest_alg: "sha256"