SpookySSL-Scanner

SpookySSL CVE-2022-3602 SSLv3 Scanner for Windows, Linux, macOS

(Turkish) Zafiyet Nasıl Oluşuyor?

Öncelikle sorun byte boyutunu belirlerken ortaya çıkıyor. Bayt boyutunu belirlerken farkındaysanız NULL yani boş/sıfır değer tanımlanmamış yani bayt uzunluğu sıfır olarak belirlenebiliyor. Alttaki komutta xn-- ile başlayan kısım direkt olarak farklı alfabelerde (örneğin Çinceden punycode olarak dönüştürülen) yazılmış alfabedeki domain adlarının latin alfabesine dönüştürülmesi anlamına geliyor. If döngüsü içerisinde memcpy komutu delta + 1 değerlik bir stack alanını memory üzerinde ayırıyor ve outptr değerini bu alana yazıyor. NULL değer girildiğinde ise 1 baytlık yer açıldığı için iki adet boşluk kodu bir buffer overflow yaratıyor.
Ayrıntılı bilgi için : https://github.com/openssl/openssl/commit/c42165b5706e42f67ef8ef4c351a9a4c5d21639a

What is the CVE-2022-3602?

First of all, we must be know Remote code execution (RCE)
Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.

CVE-2022-3602 vulnerability in OpenSSL occurs due to incorrect processing of Punycode while checking X.509 certificates.
Punycode is a representation of Unicode strings using the limited ASCII character subset. It is usually used to encode domain names containing non-ASCII characters, for example Japanese letters. A punycode-encoded string

begins with “xn--” and is followed by English characters and digits.

The vulnerable function ossl_punycode_decode may cause buffer overflow during Punycode string decoding. It is called when OpenSSL processes a certificate chain. In order to exploit vulnerability it is required to:

1) Craft a CA (certificate authority) certificate or Intermediary certificate that contains the “nameConstraints” field with a malicious Punycode string. The Punycode string must contain at least 512 bytes excluding “xn--”.

2) Craft a leaf certificate that contains a SubjectAlternateName (SAN) otherName field that specifies a SmtpUTF8Mailbox string

Denial of Service (DoS) Vulnerability Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash.

CVE-2022-3602 vulnerability has Denial of Service vulnerability too as other buffer overflow vulns. Buffer overflow occurs in the ossl_a2ulabel vulnerable function. When this function meets a Punycode part followed by a dot character (“.”) it also appends “.” to the output buffer even if it overflows its size. This way, an attacker can overflow the output buffer by any number of “.” characters, which leads to the stack corruption. This vulnerability can’t be used for remote code execution, just denial of service.

Source : https://blog.checkpoint.com/2022/11/01/openssl-vulnerability-cve-2022-3602-remote-code-execution-and-cve-2022-3786-denial-of-service-check-point-research-update/

Installation

• winget install python --source msstore (for Windows)
• pip install pypiwin32
• pip install glob
• pip install platform
• pip install osquery (for Linux)

Pics