From b05e378ea7f3170f49008bffc3371cf3f2816d25 Mon Sep 17 00:00:00 2001 From: Elle Date: Fri, 10 Mar 2023 08:57:29 +0000 Subject: [PATCH 01/14] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2022-3786?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/openssl/2022/CVE-2022-3786/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/openssl/2022/CVE-2022-3786/.keep diff --git a/cve/openssl/2022/CVE-2022-3786/.keep b/cve/openssl/2022/CVE-2022-3786/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From d9f8a878b0a25b13a9c0b8baa0ef2e09b877a95d Mon Sep 17 00:00:00 2001 From: Elle Date: Fri, 10 Mar 2023 08:58:46 +0000 Subject: [PATCH 02/14] CVE-2022-3786 Signed-off-by: Elle --- cve/openssl/2022/CVE-2022-3786/README.md | 75 ++++++++++++++++ .../CVE-2022-3786/confirm-vulnerability.c | 85 +++++++++++++++++++ cve/openssl/2022/CVE-2022-3786/harness.c | 76 +++++++++++++++++ 3 files changed, 236 insertions(+) create mode 100644 cve/openssl/2022/CVE-2022-3786/README.md create mode 100644 cve/openssl/2022/CVE-2022-3786/confirm-vulnerability.c create mode 100644 cve/openssl/2022/CVE-2022-3786/harness.c diff --git a/cve/openssl/2022/CVE-2022-3786/README.md b/cve/openssl/2022/CVE-2022-3786/README.md new file mode 100644 index 00000000..a43b6cf2 --- /dev/null +++ b/cve/openssl/2022/CVE-2022-3786/README.md @@ -0,0 +1,75 @@ +# Fuzzing OpenSSL + +This repository has a companion blog post titled "Finding CVE-2022-3786 (openssl) with Mayhem" at https://www.seandeaton.com. + +## tl;dr + +All of this is taken care of for you with the included Dockerfile (also on DockerHub). You can run it like so: + +```shell +# Build the container +docker build --tag openssl-cve-2022-3768 . +# Or if you just want to pull down the existing one: +TODO +# Ensure that you're in this project's root directory (ie you can see ./output/) +# Mount the ./input/ directory to the containers /input. This is for fuzz input. +# This is Linux specific, Windows I think has %CD% in lieu of $(pwd)? +docker run --interactive --tty --volume $(pwd)/input:/input +``` + +The entrypoint of the container is to just run `afl` so you can get started +fuzzing immediately. To override this behavior, append `/bin/bash` to the end +of the `docker run` line. + +## Getting a Vulnerable Version + +The last commit that includes the vulnerability is commit SHA `3b421ebc64c7b52f1b9feb3812bdc7781c784332` from November 1st, 2022. It was fixed in commit SHA `680e65b94c916af259bfdc2e25f1ab6e0c7a97d6`. We can get the vulnerable version easily with `git`: + +```shell +# Clone the repository. +git clone git://git.openssl.org/openssl.git +# Change into the working directory. +cd openssl +# Detach HEAD from origin to examine the code as it was when it was vulnerable. +git checkout 3b421ebc64c7b52f1b9feb3812bdc7781c784332 +``` + +## Compiling + +For compilation, we use AFL's gcc compiler (because I kept getting undefined +references with `clang`). Because of the small buffer overflow +offset, we also want to use address sanitization (ASAN), enabled with AFL's +environment variable `AFL_USE_ASAN`. Given ASAN's use of large amounts of +memory, we also need to restrict the address space which we can do by compiling +the program for a 32-bit architecture. More detail [here][afl-asan]. + +OpenSSL's configuration for 32-bit takes in the flags `-m32` and +`linux-generic32`. The `compile.sh` script does this for you. + +```shell +# Configuration +AFL_USE_ASAN=1 CC=afl-gcc-fast CXX=afl-g++-fast ./Configure -m32 linux-generic32 +# Make +AFL_USE_ASAN=1 CC=afl-gcc-fast CXX=afl-g++-fast CFLAGS="-m32" CXXFLAGS="-m32" make +``` + +This could take awhile given your system's resources. After compilation, we need +to compile our harness. A Makefile is given. + +```shell +# Compile the harness. +$ make harness +# Run the harness. +$ ./harness input/seed0.txt +ossl_a2ulabel returned: 1 +``` + +And there you go, you can get started fuzzing the `ossl_a2ulabel` in `openssl`. +With AFL the command looks something like the following (or just use the +included `run.sh` script). + +```shell +afl-fuzz -i /input -o /output /harness/harness @@ +``` + +[afl-asan]: https://afl-1.readthedocs.io/en/latest/notes_for_asan.html diff --git a/cve/openssl/2022/CVE-2022-3786/confirm-vulnerability.c b/cve/openssl/2022/CVE-2022-3786/confirm-vulnerability.c new file mode 100644 index 00000000..e6e5b5a8 --- /dev/null +++ b/cve/openssl/2022/CVE-2022-3786/confirm-vulnerability.c @@ -0,0 +1,85 @@ +/* This file is adapted from the OpenSSL test created after the CVE. See: +** https://github.com/openssl/openssl/commit/a0af4a3c8b18c435a5a4afb28b3ad1a2730e6ea8#diff-83399d92c96bb1f4616b5c6f090053b95834cdbc7bb37bb0d835d1555f69e8ad +*/ + +#include +#include +#include +#include +#include +#include + +/* From punycode test. See link above */ +#include +#include +#include "crypto/punycode.h" +#include "internal/nelem.h" + +#define TEST_mem_eq(a, m, b, n) test_mem_eq(__FILE__, __LINE__, #a, #b, a, m, b, n) +#define TEST_false(a) test_false(__FILE__, __LINE__, #a, (a) != 0) + +int test_mem_eq(const char *file, int line, const char *st1, const char *st2, + const void *s1, size_t n1, const void *s2, size_t n2) +{ + if (s1 == NULL && s2 == NULL) + return 1; + if (n1 != n2 || s1 == NULL || s2 == NULL || memcmp(s1, s2, n1) != 0) { + return 0; + } + return 1; +} +int test_false(const char *file, int line, const char *s, int b) +{ + if (!b) + return 1; + return 0; +} + +static int test_puny_overrun(void) +{ + static const unsigned int out[] = { + 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F + }; + static const char *in = "3B-ww4c5e180e575a65lsy2b"; + unsigned int buf[OSSL_NELEM(out)]; + unsigned int bsize = OSSL_NELEM(buf) - 1; + + if (!TEST_false(ossl_punycode_decode(in, strlen(in), buf, &bsize))) { + if (TEST_mem_eq(buf, bsize * sizeof(*buf), out, sizeof(out))) + puts("CRITICAL: buffer overrun detected!"); + return 0; + } + return 1; +} + +static int test_puny_overrun_crash(void) +{ + char* in = "3B-ww4c5e180e575a65lsy2b"; + unsigned int out[] = { + 0x00,0x00,0x00,0x00,0x00,0x00,0x00, // Only 7-bytes now! + }; + + unsigned int bsize = OSSL_NELEM(out); // The actual size of our buffer + + int result = ossl_punycode_decode(in, strlen(in), out, &bsize); + + return 1; +} + +#define A2ULABEL_SIZE 512 +static int test_puny_overrun_large(void) +{ + unsigned int outlen = A2ULABEL_SIZE; + // Should produce 513 sized output.... + static const char* in = "3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2ba"; + unsigned int out[A2ULABEL_SIZE]; + memset(out, 0xdd, sizeof(out)); + + int result = ossl_punycode_decode(in, strlen(in), out, &outlen); + + return 1; +} + +int main(int argc, char ** argv) { + return test_puny_overrun_large(); +} \ No newline at end of file diff --git a/cve/openssl/2022/CVE-2022-3786/harness.c b/cve/openssl/2022/CVE-2022-3786/harness.c new file mode 100644 index 00000000..dbcb3dd7 --- /dev/null +++ b/cve/openssl/2022/CVE-2022-3786/harness.c @@ -0,0 +1,76 @@ +#include +#include +#include +#include +#include +#include + +/* From punycode test. See link below. +** https://github.com/openssl/openssl/commit/a0af4a3c8b18c435a5a4afb28b3ad1a2730e6ea8#diff-83399d92c96bb1f4616b5c6f090053b95834cdbc7bb37bb0d835d1555f69e8ad +*/ +#include +#include + +#include "crypto/punycode.h" +#include "internal/nelem.h" + +/* This is from crypto/punycode.c +** Why not the header? I dunno. */ +#define LABEL_BUF_SIZE 512 + +int main(int argc, char ** argv){ + + int fd; + struct stat stat; + int result; + + /* Ensure we have the correct number of arguments. */ + if (argc != 2) { + fprintf(stderr, "Usage: %s \n", argv[0]); + exit(EXIT_FAILURE); + } + + /* Open the file passed in to argv[1]. */ + fd = open(argv[1], O_RDONLY); + /* Check that the file exists. */ + if (fd < 0) { + perror("Open"); + return EXIT_FAILURE; + } + + /* Get the size of the file. */ + if (fstat(fd, &stat) < 0) { + perror("fstat"); + return EXIT_FAILURE; + } + + /* Create a buffer of that size. */ + char * in = malloc(stat.st_size); + + /* Read the contents of the file into the buffer at once. */ + if (read(fd, in, stat.st_size) < 0) { + perror("read"); + return EXIT_FAILURE; + } + + /* If DEBUG is defined, print the contents of the buffer. + ** Users can set this at compilation time with -DDEBUG + */ + #ifdef DEBUG + printf("The contents of the file: %s", in); + #endif + + /* Call the function we want to test. */ + char ulabel[256]; + size_t size = sizeof(ulabel) - 1; + memset(ulabel, 0, sizeof(ulabel)); + result = ossl_a2ulabel(in, ulabel, &size); + printf("ossl_a2ulabel returned: %d\n", result); + + /* Free the buffer and set it to NULL. */ + free(in); + in = NULL; + + /* Exit the program. */ + return result; +} -- Gitee From 421978a0bfa06d54a78e3a3a714c898876872eba Mon Sep 17 00:00:00 2001 From: Elle Date: Fri, 10 Mar 2023 09:01:17 +0000 Subject: [PATCH 03/14] add cve/openssl/2022/yaml/CVE-2022-3768.yaml. Signed-off-by: Elle --- cve/openssl/2022/yaml/CVE-2022-3768.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 cve/openssl/2022/yaml/CVE-2022-3768.yaml diff --git a/cve/openssl/2022/yaml/CVE-2022-3768.yaml b/cve/openssl/2022/yaml/CVE-2022-3768.yaml new file mode 100644 index 00000000..6a7a9392 --- /dev/null +++ b/cve/openssl/2022/yaml/CVE-2022-3768.yaml @@ -0,0 +1,19 @@ +id: CVE-2022-3768 +source: OpenSSL +info: + name: OpenSSL缓冲区溢出漏洞 + severity: 严重 + description: | + 在X.509证书验证中,特别是在名称约束检查中,可能会触发缓冲区溢出。这种情况发生在证书链签名验证之后,并且要求CA已经签署了恶意证书,或者要求应用程序在无法构造到受信任的颁发者的路径的情况下继续进行证书验证。攻击者可以在证书中伪造一个恶意的电子邮件地址来溢出任意数量的字节,其中包含'。'字符(十进制46)。缓冲区溢出可能导致崩溃(导致拒绝服务)。在TLS客户端中,这可以通过连接到恶意服务器来触发。在TLS服务器中,如果服务器请求客户端身份验证而恶意客户端连接,则会触发此操作 + scope-of-influence: + 导致拒绝服务 + reference: + https://wpscan.com/vulnerability/1d8bf5bb-5a17-49b7-a5ba-5f2866e1f8a3 + classification: + cvss-metrics: + cvss-score: 9.0 + cve-id: + cwe-id: + cnvd-id: + kve-id: + tags: \ No newline at end of file -- Gitee From 298fc3f9b7536186462b9db404aaac6333f71113 Mon Sep 17 00:00:00 2001 From: Elle Date: Fri, 10 Mar 2023 09:02:17 +0000 Subject: [PATCH 04/14] update openkylin_list.yaml. Signed-off-by: Elle --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index f822acc2..0f045787 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -56,6 +56,7 @@ cve: - CVE-2022-2274 - CVE-2022-3602 - CVE-2023-25136 + - CVE-2022-3786 libxml2: - CVE-2020-24977 - CVE-2021-3517 -- Gitee From 45f915e752633984c64d40771bb010d95bd0b352 Mon Sep 17 00:00:00 2001 From: Elle Date: Fri, 10 Mar 2023 09:24:05 +0000 Subject: [PATCH 05/14] rename cve/openssl/2022/yaml/CVE-2022-3768.yaml to cve/openssl/2022/yaml/CVE-2022-3786.yaml. Signed-off-by: Elle --- .../{CVE-2022-3768.yaml => CVE-2022-3786.yaml} | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) rename cve/openssl/2022/yaml/{CVE-2022-3768.yaml => CVE-2022-3786.yaml} (73%) diff --git a/cve/openssl/2022/yaml/CVE-2022-3768.yaml b/cve/openssl/2022/yaml/CVE-2022-3786.yaml similarity index 73% rename from cve/openssl/2022/yaml/CVE-2022-3768.yaml rename to cve/openssl/2022/yaml/CVE-2022-3786.yaml index 6a7a9392..bbde4724 100644 --- a/cve/openssl/2022/yaml/CVE-2022-3768.yaml +++ b/cve/openssl/2022/yaml/CVE-2022-3786.yaml @@ -1,4 +1,4 @@ -id: CVE-2022-3768 +id: CVE-2022-3786 source: OpenSSL info: name: OpenSSL缓冲区溢出漏洞 @@ -6,14 +6,14 @@ info: description: | 在X.509证书验证中,特别是在名称约束检查中,可能会触发缓冲区溢出。这种情况发生在证书链签名验证之后,并且要求CA已经签署了恶意证书,或者要求应用程序在无法构造到受信任的颁发者的路径的情况下继续进行证书验证。攻击者可以在证书中伪造一个恶意的电子邮件地址来溢出任意数量的字节,其中包含'。'字符(十进制46)。缓冲区溢出可能导致崩溃(导致拒绝服务)。在TLS客户端中,这可以通过连接到恶意服务器来触发。在TLS服务器中,如果服务器请求客户端身份验证而恶意客户端连接,则会触发此操作 scope-of-influence: - 导致拒绝服务 + 3.0.0 <= OpenSSL <= 3.0.6 reference: - https://wpscan.com/vulnerability/1d8bf5bb-5a17-49b7-a5ba-5f2866e1f8a3 + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a classification: - cvss-metrics: + cvss-metrics: cvss-score: 9.0 - cve-id: - cwe-id: - cnvd-id: - kve-id: - tags: \ No newline at end of file + cve-id: CVE-2022-3786 + cwe-id: None + cnvd-id:None + kve-id:None + tags:缓冲区溢出,CVE-2022 \ No newline at end of file -- Gitee From feef8effda046ef8733b2419ca4899bfe53bd3d2 Mon Sep 17 00:00:00 2001 From: Elle Date: Fri, 10 Mar 2023 09:30:03 +0000 Subject: [PATCH 06/14] update cve/openssl/2022/yaml/CVE-2022-3786.yaml. Signed-off-by: Elle --- cve/openssl/2022/yaml/CVE-2022-3786.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/openssl/2022/yaml/CVE-2022-3786.yaml b/cve/openssl/2022/yaml/CVE-2022-3786.yaml index bbde4724..32884ad1 100644 --- a/cve/openssl/2022/yaml/CVE-2022-3786.yaml +++ b/cve/openssl/2022/yaml/CVE-2022-3786.yaml @@ -13,7 +13,7 @@ info: cvss-metrics: cvss-score: 9.0 cve-id: CVE-2022-3786 - cwe-id: None + cwe-id: CWE-120 cnvd-id:None kve-id:None tags:缓冲区溢出,CVE-2022 \ No newline at end of file -- Gitee From 42eb1c8f427f9edd9a95a129dd4f60f3c5cafcff Mon Sep 17 00:00:00 2001 From: Elle Date: Mon, 13 Mar 2023 02:04:43 +0000 Subject: [PATCH 07/14] update cve/openssl/2022/yaml/CVE-2022-3786.yaml. Signed-off-by: Elle --- cve/openssl/2022/yaml/CVE-2022-3786.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cve/openssl/2022/yaml/CVE-2022-3786.yaml b/cve/openssl/2022/yaml/CVE-2022-3786.yaml index 32884ad1..52778a0d 100644 --- a/cve/openssl/2022/yaml/CVE-2022-3786.yaml +++ b/cve/openssl/2022/yaml/CVE-2022-3786.yaml @@ -14,6 +14,6 @@ info: cvss-score: 9.0 cve-id: CVE-2022-3786 cwe-id: CWE-120 - cnvd-id:None - kve-id:None - tags:缓冲区溢出,CVE-2022 \ No newline at end of file + cnvd-id: None + kve-id: None + tags: 缓冲区溢出,CVE-2022 \ No newline at end of file -- Gitee From 662b35950fc5349cedc9b74045e3a79221c39409 Mon Sep 17 00:00:00 2001 From: Elle Date: Mon, 13 Mar 2023 02:11:57 +0000 Subject: [PATCH 08/14] update cve/openssl/2022/yaml/CVE-2022-3786.yaml. Signed-off-by: Elle --- cve/openssl/2022/yaml/CVE-2022-3786.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cve/openssl/2022/yaml/CVE-2022-3786.yaml b/cve/openssl/2022/yaml/CVE-2022-3786.yaml index 52778a0d..f4c6d5e3 100644 --- a/cve/openssl/2022/yaml/CVE-2022-3786.yaml +++ b/cve/openssl/2022/yaml/CVE-2022-3786.yaml @@ -1,17 +1,17 @@ id: CVE-2022-3786 -source: OpenSSL +source: https://nvd.nist.gov/vuln/detail/CVE-2022-3786 info: name: OpenSSL缓冲区溢出漏洞 - severity: 严重 + severity: High description: | 在X.509证书验证中,特别是在名称约束检查中,可能会触发缓冲区溢出。这种情况发生在证书链签名验证之后,并且要求CA已经签署了恶意证书,或者要求应用程序在无法构造到受信任的颁发者的路径的情况下继续进行证书验证。攻击者可以在证书中伪造一个恶意的电子邮件地址来溢出任意数量的字节,其中包含'。'字符(十进制46)。缓冲区溢出可能导致崩溃(导致拒绝服务)。在TLS客户端中,这可以通过连接到恶意服务器来触发。在TLS服务器中,如果服务器请求客户端身份验证而恶意客户端连接,则会触发此操作 scope-of-influence: 3.0.0 <= OpenSSL <= 3.0.6 reference: - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a + https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a classification: - cvss-metrics: - cvss-score: 9.0 + cvss-metrics: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 7.5 cve-id: CVE-2022-3786 cwe-id: CWE-120 cnvd-id: None -- Gitee From 9c83056b2824e38454427f20795ffa3f46c3cbd5 Mon Sep 17 00:00:00 2001 From: Elle Date: Mon, 13 Mar 2023 05:53:30 +0000 Subject: [PATCH 09/14] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/openssl/2022/CVE-2022-3786/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/openssl/2022/CVE-2022-3786/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/openssl/2022/CVE-2022-3786/.keep diff --git a/cve/openssl/2022/CVE-2022-3786/.keep b/cve/openssl/2022/CVE-2022-3786/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From b8a49650dd8494296795b2adda09e0b896fb904d Mon Sep 17 00:00:00 2001 From: Elle Date: Mon, 13 Mar 2023 05:56:24 +0000 Subject: [PATCH 10/14] update cve/openssl/2022/yaml/CVE-2022-3786.yaml. Signed-off-by: Elle --- cve/openssl/2022/yaml/CVE-2022-3786.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/openssl/2022/yaml/CVE-2022-3786.yaml b/cve/openssl/2022/yaml/CVE-2022-3786.yaml index f4c6d5e3..7c7a4fd4 100644 --- a/cve/openssl/2022/yaml/CVE-2022-3786.yaml +++ b/cve/openssl/2022/yaml/CVE-2022-3786.yaml @@ -10,10 +10,10 @@ info: reference: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a classification: - cvss-metrics: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H cvss-score: 7.5 cve-id: CVE-2022-3786 cwe-id: CWE-120 cnvd-id: None kve-id: None - tags: 缓冲区溢出,CVE-2022 \ No newline at end of file + tags: 缓冲区溢出, CVE-2022 \ No newline at end of file -- Gitee From 1cf1d651c79e5b5f6f8312ffe92c426cf24a4f93 Mon Sep 17 00:00:00 2001 From: Elle Date: Mon, 13 Mar 2023 07:17:16 +0000 Subject: [PATCH 11/14] update cve/openssl/2022/yaml/CVE-2022-3786.yaml. Signed-off-by: Elle --- cve/openssl/2022/yaml/CVE-2022-3786.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/openssl/2022/yaml/CVE-2022-3786.yaml b/cve/openssl/2022/yaml/CVE-2022-3786.yaml index 7c7a4fd4..70abb2fd 100644 --- a/cve/openssl/2022/yaml/CVE-2022-3786.yaml +++ b/cve/openssl/2022/yaml/CVE-2022-3786.yaml @@ -1,10 +1,10 @@ id: CVE-2022-3786 source: https://nvd.nist.gov/vuln/detail/CVE-2022-3786 info: - name: OpenSSL缓冲区溢出漏洞 + name: 在TLS客户端中,通过连接到恶意服务器来触发漏洞。如果服务器请求客户端身份验证而恶意客户端连接,触发OpenSSL缓冲区溢出漏洞。 severity: High description: | - 在X.509证书验证中,特别是在名称约束检查中,可能会触发缓冲区溢出。这种情况发生在证书链签名验证之后,并且要求CA已经签署了恶意证书,或者要求应用程序在无法构造到受信任的颁发者的路径的情况下继续进行证书验证。攻击者可以在证书中伪造一个恶意的电子邮件地址来溢出任意数量的字节,其中包含'。'字符(十进制46)。缓冲区溢出可能导致崩溃(导致拒绝服务)。在TLS客户端中,这可以通过连接到恶意服务器来触发。在TLS服务器中,如果服务器请求客户端身份验证而恶意客户端连接,则会触发此操作 + 在X.509证书验证中,特别是在名称约束检查中,可能会触发缓冲区溢出。这种情况发生在证书链签名验证之后,并且要求CA已经签署了恶意证书,或者要求应用程序在无法构造到受信任的颁发者的路径的情况下继续进行证书验证。攻击者可以在证书中伪造一个恶意的电子邮件地址来溢出任意数量的字节,其中包含'。'字符(十进制46)。缓冲区溢出可能导致崩溃(导致拒绝服务)。 scope-of-influence: 3.0.0 <= OpenSSL <= 3.0.6 reference: -- Gitee From 21d794f5b05c2e0e0a37dce80a36725038d2ee68 Mon Sep 17 00:00:00 2001 From: Elle Date: Tue, 14 Mar 2023 06:57:05 +0000 Subject: [PATCH 12/14] update cve/openssl/2022/yaml/CVE-2022-3786.yaml. Signed-off-by: Elle --- cve/openssl/2022/yaml/CVE-2022-3786.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/openssl/2022/yaml/CVE-2022-3786.yaml b/cve/openssl/2022/yaml/CVE-2022-3786.yaml index 70abb2fd..c532b8a2 100644 --- a/cve/openssl/2022/yaml/CVE-2022-3786.yaml +++ b/cve/openssl/2022/yaml/CVE-2022-3786.yaml @@ -1,5 +1,5 @@ id: CVE-2022-3786 -source: https://nvd.nist.gov/vuln/detail/CVE-2022-3786 +source: https://github.com/WhatTheFuzz/openssl-fuzz info: name: 在TLS客户端中,通过连接到恶意服务器来触发漏洞。如果服务器请求客户端身份验证而恶意客户端连接,触发OpenSSL缓冲区溢出漏洞。 severity: High -- Gitee From 3416eb7698af1520292d4eee1438c192c3ba6dae Mon Sep 17 00:00:00 2001 From: Elle Date: Tue, 14 Mar 2023 11:20:02 +0000 Subject: [PATCH 13/14] update openkylin_list.yaml. Signed-off-by: Elle --- openkylin_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index f79f77dc..0ae50084 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -69,6 +69,8 @@ cve: - CVE-2022-2274 - CVE-2022-3602 - CVE-2023-25136 + - CVE-2021-3449 + - CVE-2022-0778 - CVE-2022-3786 libxml2: - CVE-2020-24977 -- Gitee From 59d8514309f3f00e2db45e394a167d716b4d3526 Mon Sep 17 00:00:00 2001 From: Elle Date: Wed, 15 Mar 2023 03:05:22 +0000 Subject: [PATCH 14/14] =?UTF-8?q?=E8=A1=A5=E5=85=85=E6=96=87=E4=BB=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Elle --- cve/openssl/2022/CVE-2022-3786/Makefile | 20 ++++++++++++++++++++ cve/openssl/2022/CVE-2022-3786/compile.sh | 13 +++++++++++++ cve/openssl/2022/CVE-2022-3786/run.sh | 8 ++++++++ 3 files changed, 41 insertions(+) create mode 100644 cve/openssl/2022/CVE-2022-3786/Makefile create mode 100644 cve/openssl/2022/CVE-2022-3786/compile.sh create mode 100644 cve/openssl/2022/CVE-2022-3786/run.sh diff --git a/cve/openssl/2022/CVE-2022-3786/Makefile b/cve/openssl/2022/CVE-2022-3786/Makefile new file mode 100644 index 00000000..fc45cfd3 --- /dev/null +++ b/cve/openssl/2022/CVE-2022-3786/Makefile @@ -0,0 +1,20 @@ +ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) +CC = afl-gcc-fast +CXX= afl-g++-fast +INCLUDE = -Iopenssl/include -Iopenssl/test +CFLAGS = -m32 -fno-stack-protector -ggdb -Wl,-z,relro +LDFLAGS = -L$(ROOT_DIR)/openssl -l:libcrypto.so.3 -l:libcrypto.a + +.DEFAULT_GOAL := harness + +# What we'll actually use for fuzzing. +harness: harness.c + AFL_USE_ASAN=1 $(CC) -o $@ $< $(CFLAGS) $(INCLUDE) $(LDFLAGS) + +# Confirm that the vulnerability is present. +confirm-vulnerability: confirm-vulnerability.c + AFL_USE_ASAN=1 $(CC) -o $@ $< $(CFLAGS) $(INCLUDE) $(LDFLAGS) + +clean: + rm -f harness + rm -f confirm-vulnerability \ No newline at end of file diff --git a/cve/openssl/2022/CVE-2022-3786/compile.sh b/cve/openssl/2022/CVE-2022-3786/compile.sh new file mode 100644 index 00000000..61843307 --- /dev/null +++ b/cve/openssl/2022/CVE-2022-3786/compile.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +# Change directories into openssl. +cd ./openssl + +# Ensure we're on the vulnerable version. +git checkout eec0ad10b943bc10690358cf2db32ca06c3e81a0 + +# Configure the build for 32-bit, static, and without test (to speed up compilation). +make clean +CC=gcc CXX=g++ CFLAGS="-m32 -Og -g3 -fno-inline-functions -fdump-rtl-expand -fsanitize=address -static-libasan" ./Configure -m32 linux-generic32 no-tests --debug +# Compile the project. +CC=gcc CXX=g++ CFLAGS="-m32 -Og -g3 -fno-inline-functions -fdump-rtl-expand -fsanitize=address -static-libasan" make \ No newline at end of file diff --git a/cve/openssl/2022/CVE-2022-3786/run.sh b/cve/openssl/2022/CVE-2022-3786/run.sh new file mode 100644 index 00000000..b92b5b5a --- /dev/null +++ b/cve/openssl/2022/CVE-2022-3786/run.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +# Change the title of the gnome-shell. +printf "\e]2;openssl\a" +# I don't have a dedicated fuzzing machine, limit the CPU scaler. +export AFL_AUTORESUME=1 +export AFL_SKIP_CPUFREQ=1 +afl-fuzz -i /input -o /output /harness/harness @@ -- Gitee