Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-4044 PoC — Invalid handling of X509_verify_cert() internal errors in libssl

Source
https://github.com/phirojshah/CVE-2021-4044
Associated Vulnerability
Title:Invalid handling of X509_verify_cert() internal errors in libssl (CVE-2021-4044)
Description:Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).
Readme
# SSL Checker Script

This repository contains a Python script that checks the OpenSSL version on your system and tests SSL/TLS connections to a user-provided website. The script is designed to identify whether the system is affected by CVE-2021-4044 and to test the handling of SSL errors during the connection process.

## Features

- **OpenSSL Version Check:** The script checks the version of OpenSSL installed on your system and alerts you if it is vulnerable to CVE-2021-4044.
- **SSL Connection Test:** It attempts to establish an SSL connection to a website provided by the user, handling and reporting any SSL errors that occur.
- **User Input:** The script prompts the user to input the target website URL for the SSL connection test.

## Prerequisites

- **Python 3.x:** Ensure that you have Python 3 installed on your system.
- **Required Modules:** The script uses the following Python modules, which are part of the standard library:
  - `ssl`
  - `socket`

## Usage

1. **Clone the Repository:**
    ```bash
    git clone https://github.com/phirojshah/CVE-2021-4044.git
    cd CVE-2021-4044
    ```

2. **Run the Script:**
    ```bash
    python3 ssl_check.py
    ```

3. **Enter Website URL:**
   When prompted, enter the URL of the website you want to check, for example:



4. **Review the Output:**
The script will output the OpenSSL version, whether it’s affected by CVE-2021-4044, and the result of the SSL handshake with the provided website.

## Example Output


## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## Contributing

Contributions are welcome! Please feel free to submit a Pull Request or open an Issue if you find a bug or have a feature request.

## Author

- **Your Name** - [Your GitHub Profile](https://github.com/phirojshah)

## Disclaimer

This script is intended for educational and ethical testing purposes only. Do not use this tool on systems or websites without proper authorization.
File Snapshot

 [4.0K]  /data/pocs/432acfcbd2bd265da3cc6aba6c1b904620fcf3e2
├── [1.9K]  README.md
└── [1.5K]  ssl_check.py

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →