Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2022-3602 PoC — X.509 Email Address 4-byte Buffer Overflow

Source
https://github.com/alicangnll/SpookySSL-Scanner
Associated Vulnerability
Title:X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)
Description:A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).
Description
SpookySSL CVE-2022-3602 SSLv3 Scanner for Windows, Linux, macOS
Readme
# SpookySSL-Scanner
SpookySSL CVE-2022-3602 SSLv3 Scanner for Windows, Linux, macOS
<br><br>
<h2>(Turkish) Zafiyet Nasıl Oluşuyor?</h2>
<p>Öncelikle sorun byte boyutunu belirlerken ortaya çıkıyor. Bayt boyutunu belirlerken farkındaysanız NULL yani boş/sıfır değer tanımlanmamış yani bayt uzunluğu sıfır olarak belirlenebiliyor. Alttaki komutta xn-- ile başlayan kısım direkt olarak farklı alfabelerde (örneğin Çinceden punycode olarak dönüştürülen) yazılmış alfabedeki domain adlarının latin alfabesine dönüştürülmesi anlamına geliyor. If döngüsü içerisinde memcpy komutu delta + 1 değerlik bir stack alanını memory üzerinde ayırıyor ve outptr değerini bu alana yazıyor. NULL değer girildiğinde ise 1 baytlık yer açıldığı için iki adet boşluk kodu bir buffer overflow yaratıyor.
<br>
Ayrıntılı bilgi için : <a href="https://github.com/openssl/openssl/commit/c42165b5706e42f67ef8ef4c351a9a4c5d21639a">https://github.com/openssl/openssl/commit/c42165b5706e42f67ef8ef4c351a9a4c5d21639a</a><p>
<br>
<img src="vulncode.jpeg" />
<br><br>
<h2>What is the CVE-2022-3602?</h2>
<p>First of all, we must be know Remote code execution (RCE)
<br>
Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.
<br><br>
CVE-2022-3602 vulnerability in OpenSSL occurs due to incorrect processing of Punycode while checking X.509 certificates.<br>
Punycode is a representation of Unicode strings using the limited ASCII character subset. It is usually used to encode domain names containing non-ASCII characters, for example Japanese letters. A punycode-encoded string<br><br>
begins with “xn--” and is followed by English characters and digits.<br><br>
The vulnerable function ossl_punycode_decode may cause buffer overflow during Punycode string decoding. It is called when OpenSSL processes a certificate chain. In order to exploit vulnerability it is required to:<br><br>
1) Craft a CA (certificate authority) certificate or Intermediary certificate that contains the “nameConstraints” field with a malicious Punycode string. The Punycode string must contain at least 512 bytes excluding “xn--”.<br><br>
2) Craft a leaf certificate that contains a SubjectAlternateName (SAN) otherName field that specifies a SmtpUTF8Mailbox string<br><br>
 
Denial of Service (DoS) Vulnerability
Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash.
<br><br>
CVE-2022-3602 vulnerability has Denial of Service vulnerability too as other buffer overflow vulns. Buffer overflow occurs in the ossl_a2ulabel vulnerable function. When this function meets a Punycode part followed by a dot character (“.”) it also appends “.” to the output buffer even if it overflows its size.
This way, an attacker can overflow the output buffer by any number of “.” characters, which leads to the stack corruption. This vulnerability can’t be used for remote code execution, just denial of service.
<br><br>
Source : https://blog.checkpoint.com/2022/11/01/openssl-vulnerability-cve-2022-3602-remote-code-execution-and-cve-2022-3786-denial-of-service-check-point-research-update/
</p>
<h2>Installation</h2>
<ul>
<li>winget install python --source msstore (for Windows)</li>
<li>pip install pypiwin32</li>
<li>pip install glob</li>
<li>pip install platform</li>
<li>pip install osquery (for Linux)</li>
</ul>
<br>
<h2>Pics</h2>
<img src="spooky.png" />
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →