漏洞平台

POC详情： b294ef661818393556b0dd2927a07b8750dfb018

来源

https://github.com/corelight/CVE-2022-3602

关联漏洞

标题： OpenSSL 缓冲区错误漏洞 (CVE-2022-3602)
描述：OpenSSL是OpenSSL团队的一个开源的能够实现安全套接层（SSLv2/v3）和安全传输层（TLSv1）协议的通用加密库。该产品支持多种加密算法，包括对称密码、哈希算法、安全散列算法等。 OpenSSL 3.0.0 到 3.0.6版本存在安全漏洞，该漏洞源于在 X.509 证书验证中可以触发缓冲区溢出，特别是在名称约束检查中，攻击者利用该漏洞可以导致服务崩溃（导致拒绝服务）或潜在的远程代码执行。

描述

Detects attempts at exploitation of CVE-2022-3602, a remote code execution vulnerability in OpenSSL v 3.0.0 through v.3.0.6

介绍

# Detection for CVE-2022-3602 - OpenSSL RCE/DOC v3.0.0 - v3.0.6

- Detects when the HTTP Server header indicates that the version of OpenSSL is vulnerable to CVE-2022-3602 (ie. v3.0.0 to v3.0.6 inclusive).
- Detects exploitation attempts in TLS v1.2.  

References:
- https://www.openssl.org/news/secadv/20221101.txt
- https://github.com/fox-it/spookyssl-pcaps  


This package generates the following notices:
* `CVE20223602::CVE_2022_3602_Exploit_Attempt`  
* `CVE20223602::CVE_2022_3602_Vulnerable_Server`   
The notice also contains the artefact that triggered the notice within the `sub` field , which can assist with IR triage.  

```
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   notice
#open   2022-11-04-11-13-50
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg     sub     src     dst     p       n              peer_descr      actions email_dest      suppress_for    remote_location.country_code    remote_location.region  remote_location.city    remote_location.latitude        remote_location.longitude
#types  time    string  addr    port    addr    port    string  string  string  enum    enum    string  string  addr    addr    port    count   string  set[enum]       set[string]     interval       string  string  string  double  double
1667182702.131152       CKgObk3hwP00kyaoVd      127.0.0.1       53240   127.0.0.1       80      -       -       -       tcp     CVE20223602::CVE_2022_3602_Vulnerable_Server    Potential OpenSSL CVE_2022_3602 Vulnerable server version (v3.0.0-3.0.6)       SERVER value in HTTP header = 'Apache/2.4.54 (Fedora Linux) OpenSSL/3.0.5'      127.0.0.1       127.0.0.1       80      -              -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -       -       -
1667383240.417527       CYgEWD2cUZDWalTz9h      192.168.56.2    50478   192.168.56.3    3000    -       -       -       tcp     CVE20223602::CVE_2022_3602_Exploit_Attempt      Potential OpenSSL CVE_2022_3602 exploit attempt (punycode)     ext$value = 'Permitted:\x0a  email:xn--3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2ba\x0a'        192.168.56.2    192.168.56.3    3000    -       -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -       -              -
1667390605.051174       CTKv5h4LdOlflhiM66      192.168.56.2    46590   192.168.56.3    3000    -       -       -       tcp     CVE20223602::CVE_2022_3602_Exploit_Attempt      Potential OpenSSL CVE_2022_3602 exploit attempt (punycode)     ext$value = 'Permitted:\x0a  email:xn--3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2b3B-ww4c5e180e575a65lsy2ba@example.com\x0a'    192.168.56.2    192.168.56.3    3000    -       -       Notice::ACTION_LOG      (empty) 3600.000000     -       -       -              -       -
1667393702.130181       CycBH72ljVsUydqGn5      192.168.56.2    46594   192.168.56.3    3000    -       -       -       tcp     CVE20223602::CVE_2022_3602_Exploit_Attempt      Potential OpenSSL CVE_2022_3602 exploit attempt (punycode)     ext$value = 'Permitted:\x0a  email:xn--srt@fx-it-u1g.com\x0a'   192.168.56.2    192.168.56.3    3000    -       -       Notice::ACTION_LOG             (empty) 3600.000000     -       -       -       -       -
#close  2022-11-04-11-13-50
```


This package can be installed with `zkg` using the following commands:
```
$ zkg refresh
$ zkg install cve-2022-3602
```

Corelight customers can install it by updating the CVE bundle.

文件快照


 [4.0K]  /data/pocs/b294ef661818393556b0dd2927a07b8750dfb018
├── [1.5K]  LICENSE
├── [4.4K]  README.md
├── [4.0K]  scripts
│   ├── [ 644]  detect_exploit.zeek
│   ├── [ 668]  detect_vulnerable_server.zeek
│   └── [  56]  __load__.zeek
├── [4.0K]  testing
│   ├── [4.0K]  Baseline
│   │   └── [4.0K]  tests.test
│   │       ├── [1.7K]  notice_cut_exploit.log
│   │       └── [ 337]  notice_cut_vulnerable.log
│   ├── [ 559]  btest.cfg
│   ├── [4.0K]  Files
│   │   └── [ 192]  random.seed
│   ├── [4.0K]  Scripts
│   │   ├── [ 383]  diff-remove-timestamps
│   │   └── [1.1K]  get-zeek-env
│   ├── [4.0K]  tests
│   │   └── [ 663]  test.zeek
│   └── [4.0K]  Traces
│       ├── [1.2K]  sample_OpenSSLv3.0.5.pcap
│       └── [ 20K]  spookyssl-merged.pcap
└── [ 199]  zkg.meta

8 directories, 15 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。