CVE-2022-21449-TLS-PoC

CVE-2022-21449 (also dubbed Psychic Signatures in the vulnerability writeup by Neil Madden) Proof of Concept demonstrating its usage with a vulnerable client and a malicious TLS server.

The malicious server presents a valid (as of 2022-04-20) cert chain for www.google.com which has an ECDSA pub key (secp256r1). However, the crypto/ecdsa package has been modified to present an invalid signature with r = s = 0. The vulnerable client accepts this invalid signature, allowing the rest of the TLS handshake to continue.

Aside from the removed *_test.go files while building & exploration, all the golang library changes made to get this PoC working are annotated with a comment. Search/grep for CVE-2022-21449 in the go/src directory to find them.

Building

Requires some existing golang installation as well as maven, then run ./build.sh.

Tested on Ubuntu 20.04.4 LTS (WSL2) with OpenJDK 16.0.1 (build 16.0.1+9-Ubuntu-120.04, 2021-04-20)

Demo

CVE-2022-21449.mp4

GitHub

View Github