Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-3602 PoC — X.509 Email Address 4-byte Buffer Overflow

Source
https://github.com/corelight/CVE-2022-3602
Associated Vulnerability
Title:X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)
Description:A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).
Description
Detects attempts at exploitation of CVE-2022-3602, a remote code execution vulnerability in OpenSSL v 3.0.0 through v.3.0.6
Readme
# Detection for CVE-2022-3602 - OpenSSL RCE/DOC v3.0.0 - v3.0.6

- Detects when the HTTP Server header indicates that the version of OpenSSL is vulnerable to CVE-2022-3602 (ie. v3.0.0 to v3.0.6 inclusive).
- Detects exploitation attempts in TLS v1.2.  

References:
- https://www.openssl.org/news/secadv/20221101.txt
- https://github.com/fox-it/spookyssl-pcaps  


This package generates the following notices:
* `CVE20223602::CVE_2022_3602_Exploit_Attempt`  
* `CVE20223602::CVE_2022_3602_Vulnerable_Server`   
The notice also contains the artefact that triggered the notice within the `sub` field , which can assist with IR triage.  

```
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   notice
#open   2022-11-04-11-13-50
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg     sub     src     dst     p       n              peer_descr      actions email_dest      suppress_for    remote_location.country_code    remote_location.region  remote_location.city    remote_location.latitude        remote_location.longitude
#types  time    string  addr    port    addr    port    string  string  string  enum    enum    string  string  addr    addr    port    count   string  set[enum]       set[string]     interval       string  string  string  double  double
1667182702.131152       CKgObk3hwP00kyaoVd      127.0.0.1       53240   127.0.0.1       80      -       -       -       tcp     CVE20223602::CVE_2022_3602_Vulnerable_Server    Potential OpenSSL CVE_2022_3602 Vulnerable server version (v3.0.0-3.0.6)       SERVER value in HTTP header = 'Apache/2.4.54 (Fedora Linux) OpenSSL/3.0.5'      127.0.0.1       127.0.0.1       80      -              -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -       -       -
1667383240.417527       CYgEWD2cUZDWalTz9h      192.168.56.2    50478   192.168.56.3    3000    -       -       -       tcp     CVE20223602::CVE_2022_3602_Exploit_Attempt      Potential OpenSSL CVE_2022_3602 exploit attempt (punycode)     ext$value = 'Permitted:\x0a  email:xn--3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2ba\x0a'        192.168.56.2    192.168.56.3    3000    -       -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -       -              -
1667390605.051174       CTKv5h4LdOlflhiM66      192.168.56.2    46590   192.168.56.3    3000    -       -       -       tcp     CVE20223602::CVE_2022_3602_Exploit_Attempt      Potential OpenSSL CVE_2022_3602 exploit attempt (punycode)     ext$value = 'Permitted:\x0a  email:xn--3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2ba@example.com\x0a'    192.168.56.2    192.168.56.3    3000    -       -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -              -       -
1667393702.130181       CycBH72ljVsUydqGn5      192.168.56.2    46594   192.168.56.3    3000    -       -       -       tcp     CVE20223602::CVE_2022_3602_Exploit_Attempt      Potential OpenSSL CVE_2022_3602 exploit attempt (punycode)     ext$value = 'Permitted:\x0a  email:xn--srt@fx-it-u1g.com\x0a'   192.168.56.2    192.168.56.3    3000    -       -       Notice::ACTION_LOG             (empty) 3600.000000     -       -       -       -       -
#close  2022-11-04-11-13-50
```


This package can be installed with `zkg` using the following commands:
```
$ zkg refresh
$ zkg install cve-2022-3602
```

Corelight customers can install it by updating the CVE bundle.
File Snapshot

 [4.0K]  /data/pocs/b294ef661818393556b0dd2927a07b8750dfb018
├── [1.5K]  LICENSE
├── [4.4K]  README.md
├── [4.0K]  scripts
│   ├── [ 644]  detect_exploit.zeek
│   ├── [ 668]  detect_vulnerable_server.zeek
│   └── [  56]  __load__.zeek
├── [4.0K]  testing
│   ├── [4.0K]  Baseline
│   │   └── [4.0K]  tests.test
│   │       ├── [1.7K]  notice_cut_exploit.log
│   │       └── [ 337]  notice_cut_vulnerable.log
│   ├── [ 559]  btest.cfg
│   ├── [4.0K]  Files
│   │   └── [ 192]  random.seed
│   ├── [4.0K]  Scripts
│   │   ├── [ 383]  diff-remove-timestamps
│   │   └── [1.1K]  get-zeek-env
│   ├── [4.0K]  tests
│   │   └── [ 663]  test.zeek
│   └── [4.0K]  Traces
│       ├── [1.2K]  sample_OpenSSLv3.0.5.pcap
│       └── [ 20K]  spookyssl-merged.pcap
└── [ 199]  zkg.meta

8 directories, 15 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →