Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-0778 PoC — Infinite loop in BN_mod_sqrt() reachable when parsing certificates

Source
https://github.com/jkakavas/CVE-2022-0778-POC
Associated Vulnerability
Title:Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778)
Description:The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
Readme
A simple remote triggering POC for CVE-2022-0778 

### Why
While trying to validate whether server implementations on our side where/are vulnerable to CVE-2022-0778, it
proved extremely cumbersome to do so remotely. Instructions to create maliciously crafted certificates to trigger
the parsing bug in `BN_nod_sqrt()` [have been around](https://github.com/drago-96/CVE-2022-0778) for a while now
but the main issue is that most client implementations would try to parse the client certificate in order to use
it in the TLS handshake. This in turn meant, that 
- if the implementation was vulnerable the bug would be triggered and the client consume 100% and stall. 
- if the implementation was not vulnerable, the certificate could not be parsed and client would, rightfully so, exit.

### What
What was actually needed, was to be able to inject a message in the TLS handshake so that we can replace the contents
of the Certificate message that the client sends to the server in response to the CertificateRequest message. 

### How
This depends on  [tlslite-ng](https://github.com/tlsfuzzer/tlslite-ng) and overrides the `TLSConnection._clientKeyExchange` 
method so that during a TLS handshake with a possibly vulnerable server:

1. We send a ClientHello message as we would normally do
2. We consume the ServerHelloMessage and check if it contains a CertificateRequest
3. If it does, we construct an arbitrary Certificate message, loading the DER encoded crafted certificate from disk
4. Send the crafted message to the server and expect it will parse it, possibly triggering CVE-2022-0778 

The `crafted.crt` is created based on the instructions in https://github.com/drago-96/CVE-2022-0778#using-asn1-templates, 
feel free to recreate this if you wish so. 

### Usage
```
usage: main.py [-h] [--server SERVER] [--port PORT]

Parameters

optional arguments:
  -h, --help       show this help message and exit
  --server SERVER  Name of the server to connect for the TLS handshake,
                   defaults to "localhost"
  --port PORT      Port where server listens for TLS connections, defaults to
                   "443"
```
File Snapshot

 [4.0K]  /data/pocs/b53ca772d7f3d2f40a93a646bb2aef6b1bdf9207
├── [ 422]  crafted.crt
├── [3.3K]  main.py
├── [2.1K]  README.md
└── [  44]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →