Monday, February 17, 2014

MD5 and other useful stuff in powershell

Lots of posts coming up shortly, anyway recently I was reading about how OTA updates for CyanogenMod run over plaintext HTTP and don't sign their binaries. Lame. The MD5sum it, and send that over the same plaintext channel, so trivially mitm'able, like evilgrade.

Shortly after reading this, I downloaded an update for CCleaner, which came plaintext from filehippo and decided that I should check its hash. The hash offered is MD5, which while it has collisions, my current understanding is that it takes about a day with a bunch of PS3s in a cluster to make an known good hash collide with a malicious binary. Anyway, with nothing else offered as a reasonable hash for this file, I set out to compare the known hash with the binary's hash.

Previously I've used the Microsoft File Checksum Integrity Verifier utility, but I'd rather have it more smoothly integrated into PowerShell since I'm learning that currently.

I want to find a good powershell way of doing this and here was my thought process:

PS> Get-Command -Name *md5*
--no results

PS> Get-Help *md5*
--nothing

PS> Get-Help *hash*
--nothing useful

 Ok, on to the googles.
First hit for "powershell md5": http://stackoverflow.com/questions/10521061/how-to-get-a-md5-checksum-in-powershell

 Bingo. A few different methods, and I tried two of them:

 Method 1:
$someFilePath = "C:\foo.txt"
$md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
$hash = [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes($someFilePath)))
This initially gave me an error because I used a relative path for my file (I was currently in my Downloads directory, and did ".\foo.exe" instead of the full path starting with "C:\". After fixing this, it returned a match to the hash provided by filehippo (which of course is also provided via plaintext, so...shit). 
Method 2: 
Install the Powershell Community Extensions (http://pscx.codeplex.com/), which also feature useful commands such as base64 encoding and decoding, gzip/bzip/tar/zip archive support, set/get-clipboard, tail, and get-httpresource, a nice package.
I was all set to dig into my profile and set that up, but it comes prepackages in an MSI that is pretty much a single-click install. 
Both worked.
Looked into it and I couldn't get an HTTPS connection to download the file without cert errors. Found this forum post which mentions that filehippo publishes the MD5sum, that the files are Verisign signed (good deal) and that piriform (the authors of CCleaner) and filehippo are the preferred download methods: http://forum.piriform.com/?showtopic=23834






Checking the signature:


GUI method: 


Find executable in Windows Explorer (not Internet Explorer) > right click > Properties > Select the Digital Signatures Tab > Select the only option there (Should say Piriform Ltd, which is something of a check) > Details 




At this point you see the message "This digital signature is OK" which is a level of assurance. If you wanted to, you could check out its certificate against...I'm not quite sure, but would look for a list of published code signing certificates to see if MSFT has them. Additionally, its countersigned by Symantec for a specific timestamp, which is nice, and Symantec is pretty legit, again, presumably this can be looked up, but I'm assuming that it's in the Windows Certificate Store, and can look that up to prove it as well.




Or using powershell:




PS> Get-AuthenticodeSignature .\ccsetup410.exe


SignerCertificate                        Status  Path
-----------------                        ------  ----
46EE5C92C7BCD7B2D2E937DCD1FB9FDA30D1E753 Valid   ccsetup410.exe












Posted by



at





No comments:
  


































        

      









Subscribe to:
Posts (Atom)