关联漏洞
标题:
OpenSSL 安全漏洞
(CVE-2022-0778)
描述:OpenSSL是Openssl团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 OpenSSL1.0.2 版本、1.1.1版本和3.0版本存在安全漏洞,该漏洞源于计算模平方根的BN_mod_sqrt() 函数存在错误,可能导致对于非素数模数无线循环。攻击者可以发送特殊的函数参数值利用该漏洞导致应用在解析证书的过程中触发拒绝服务。
介绍
A simple remote triggering POC for CVE-2022-0778
### Why
While trying to validate whether server implementations on our side where/are vulnerable to CVE-2022-0778, it
proved extremely cumbersome to do so remotely. Instructions to create maliciously crafted certificates to trigger
the parsing bug in `BN_nod_sqrt()` [have been around](https://github.com/drago-96/CVE-2022-0778) for a while now
but the main issue is that most client implementations would try to parse the client certificate in order to use
it in the TLS handshake. This in turn meant, that
- if the implementation was vulnerable the bug would be triggered and the client consume 100% and stall.
- if the implementation was not vulnerable, the certificate could not be parsed and client would, rightfully so, exit.
### What
What was actually needed, was to be able to inject a message in the TLS handshake so that we can replace the contents
of the Certificate message that the client sends to the server in response to the CertificateRequest message.
### How
This depends on [tlslite-ng](https://github.com/tlsfuzzer/tlslite-ng) and overrides the `TLSConnection._clientKeyExchange`
method so that during a TLS handshake with a possibly vulnerable server:
1. We send a ClientHello message as we would normally do
2. We consume the ServerHelloMessage and check if it contains a CertificateRequest
3. If it does, we construct an arbitrary Certificate message, loading the DER encoded crafted certificate from disk
4. Send the crafted message to the server and expect it will parse it, possibly triggering CVE-2022-0778
The `crafted.crt` is created based on the instructions in https://github.com/drago-96/CVE-2022-0778#using-asn1-templates,
feel free to recreate this if you wish so.
### Usage
```
usage: main.py [-h] [--server SERVER] [--port PORT]
Parameters
optional arguments:
-h, --help show this help message and exit
--server SERVER Name of the server to connect for the TLS handshake,
defaults to "localhost"
--port PORT Port where server listens for TLS connections, defaults to
"443"
```
文件快照
[4.0K] /data/pocs/b53ca772d7f3d2f40a93a646bb2aef6b1bdf9207
├── [ 422] crafted.crt
├── [3.3K] main.py
├── [2.1K] README.md
└── [ 44] requirements.txt
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。