告诉HN:H&R Block税务软件安装了一个TLS后门
这是给美国用户的一个公共服务公告,因为税季即将来临,有些人可能会使用 H&R Block Business 2025。我发现该软件会在您的本地计算机的受信任根证书存储中安装一个名为“WK ATX ServerHost 2024”(有效期至2049年)的根证书颁发机构(CA)。他们还在一个 DLL 文件中包含了该证书的私钥。这个证书并没有在任何地方标识为“H&R Block”,而且在您卸载软件时不会被自动删除。
我已经成功地在同一网络上的全新虚拟机上使用这个根 CA 和 mitmproxy 通过 DNS 欺骗攻击来操控 TLS 流量。演示视频链接:https://www.youtube.com/watch?v=5paxvYkz1QE
要测试您的机器是否存在漏洞,请访问此页面:https://hrbackdoor.yifanlu.com。如果您的浏览器没有发出任何警告或错误信息,那么您已经安装了后门。如果您的浏览器确实发出警告,您仍然可以选择访问该页面以获取有关漏洞的更多详细信息。
这是疏忽还是一个“真正”的后门?很难判断,既然私钥已经泄露,任何人都可以使用它,因此这个问题的意义就不大了。他们没有合理的理由在不同的名称下安装一个通配符根 CA。当我联系他们时,他们的声明中提到“通过内部安全评估发现了类似的问题”,这意味着他们知道这个问题但尚未修复。在这一点上,我不会信任 H&R Block 的软件。
如果您没有受到影响,恭喜您。请将此帖子视为审计您受信任根 CA 存储的提醒。
查看原文
Just a PSA for folks here in the US because tax season is coming up and some of you may be using H&R Block Business 2025. I discovered that the software installs a root CA named "WK ATX ServerHost 2024" (expiry 2049) into your local machine trusted root certificate store. They also helpfully include the private key to this certificate in a DLL file. This certificate does not identify itself as "H&R Block" anywhere and does not get uninstalled when you uninstall the software.<p>I've been able to successfully use this root CA + mitmproxy to manipulate TLS traffic on a brand new virtual machine on the same network with a DNS spoofing attack. Demo: https://www.youtube.com/watch?v=5paxvYkz1QE<p>To test if your machine is vulnerable visit this page: https://hrbackdoor.yifanlu.com and if you do not get any warning or error message from your browser then you have the backdoor installed. If your browser does complain, you can choose to visit the page anyways for more details on the vulnerability.<p>Is it negligence or a "real" back door? It's impossible to tell and since the private key is out there, anyone can use it so the point is moot. There is no legitimate reason why they need to install a wildcard root CA under a different name. When I contacted them about it their statement includes "similar findings have been identified through internal security assessments" meaning they know about this issue but have not fixed it. I would not trust H&R Block software at this point.<p>If you didn't get bit by this, congratulations. See this post as a reminder to audit your trusted root CA store.