Thursday, February 19, 2015
Extracting the SuperFish certificate
procdump -ma VisualDiscovery.exe super.dmp
The proper reversing is to actually tear apart the memory structures, such as using VisualStudio:
strings super.dmp > super.txt
At that point, I load the file super.txt into a text editor and searched for the string "PRIVATE KEY". Sure enough, it popped right up. It's actually located several times in the memory dump.
"The consequence is that I can intercept the encrypted communications of SuperFish's victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot."
How? By just passively reading and decrypting or by providing a MITM proxy that uses that certificate
The first case would mean that the connections between the infected laptops and "the internet" already use that key, i.e. the superfish https MITM proxy is somewhere in the internet. Why would they even need the private key in the software then?
If their MITM proxy runs on the infected machines then the connections to the actual websites should use the real certificates - and you'd have to run your own MITM proxy, so just passive snooping wouldn't be enough.
(Not that running such a proxy is very hard. )
Just wondering, I haven't read much about the technical details of superfish yet :-)
The problem is manyfold: