告诉 HN:H&R Block 税务软件安装 TLS 后门
7 分•作者: yifanlu•2 天前
给在美国的朋友们提个醒,因为报税季要来了,你们中可能有人在使用 H&R Block Business 2025。我发现这款软件会在你的本地机器的受信任根证书存储区安装一个名为“WK ATX ServerHost 2024”(有效期至 2049 年)的根 CA 证书。他们还“贴心地”将此证书的私钥包含在一个 DLL 文件中。这个证书在任何地方都没有标识自己是“H&R Block”,并且在你卸载该软件时也不会被卸载。
我已经成功地使用这个根 CA + mitmproxy 在同一网络上的全新虚拟机上通过 DNS 欺骗攻击来操纵 TLS 流量。演示:https://www.youtube.com/watch?v=5paxvYkz1QE
要测试你的机器是否容易受到攻击,请访问此页面:https://hrbackdoor.yifanlu.com,如果你的浏览器没有收到任何警告或错误消息,那么你已经安装了后门。如果你的浏览器确实有提示,你可以选择仍然访问该页面,以获取有关此漏洞的更多详细信息。
这到底是疏忽还是一个“真正的”后门?这很难说,而且由于私钥已经泄露,任何人都可以使用它,所以这个问题已经没有意义了。他们没有正当理由安装一个使用不同名称的通配符根 CA 证书。当我联系他们时,他们的声明包括“通过内部安全评估发现了类似的结果”,这意味着他们知道这个问题但尚未修复。 在这一点上,我不会信任 H&R Block 软件。
如果你没有受到这个问题的困扰,恭喜你。请将这篇文章视为一个提醒,去审计你的受信任根 CA 存储区。
查看原文
Just a PSA for folks here in the US because tax season is coming up and some of you may be using H&R Block Business 2025. I discovered that the software installs a root CA named "WK ATX ServerHost 2024" (expiry 2049) into your local machine trusted root certificate store. They also helpfully include the private key to this certificate in a DLL file. This certificate does not identify itself as "H&R Block" anywhere and does not get uninstalled when you uninstall the software.<p>I've been able to successfully use this root CA + mitmproxy to manipulate TLS traffic on a brand new virtual machine on the same network with a DNS spoofing attack. Demo: https://www.youtube.com/watch?v=5paxvYkz1QE<p>To test if your machine is vulnerable visit this page: https://hrbackdoor.yifanlu.com and if you do not get any warning or error message from your browser then you have the backdoor installed. If your browser does complain, you can choose to visit the page anyways for more details on the vulnerability.<p>Is it negligence or a "real" back door? It's impossible to tell and since the private key is out there, anyone can use it so the point is moot. There is no legitimate reason why they need to install a wildcard root CA under a different name. When I contacted them about it their statement includes "similar findings have been identified through internal security assessments" meaning they know about this issue but have not fixed it. I would not trust H&R Block software at this point.<p>If you didn't get bit by this, congratulations. See this post as a reminder to audit your trusted root CA store.