added template to check for spookyssl cve

Signed-off-by: Spencer Heywood <l.spencer.heywood@protonmail.com>
2022-11-22 12:54:02 -07:00 · 2022-11-22 12:54:02 -07:00 · 8417622633
parent 8ad3bd381f
commit 8417622633
2 changed files with 39 additions and 0 deletions
--- a/contributors.json
+++ b/contributors.json
@ -1368,5 +1368,16 @@
            "website": "",
            "email": ""
        }
+    },
+    {
+        "author": "heywoodlh",
+        "links": {
+            "github": "https://www.github.com/heywoodlh",
+            "twitter": "",
+            "linkedin": "",
+            "website": "https://the-empire.systems",
+            "email": ""
+        }
    }
+
 ]
--- a/cves/2022/CVE-2022-3602.yaml
+++ b/cves/2022/CVE-2022-3602.yaml
@ -0,0 +1,28 @@
+id: spookyssl-detect
+
+info:
+  name: SpookySSL CVE-2022-3602/CVE-2022-3786  
+  author: heywoodlh
+  severity: high
+  description: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking in OpenSSL versions 3.0.0-3.0.6. This check searches for web servers with headers indicating OpenSSL versions 3.0.0-3.0.6.
+  metadata:
+    shodan-query: vuln:CVE-2022-3602
+  tags: openssl,spookyssl,cve-2022-3602,cve-2022-3786
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+
+      - type: word
+        part: server
+        words:
+          - "OpenSSL"
+
+    extractors:
+      - type: regex
+        part: header
+        regex:
+          - 'OpenSSL\/(3.0.[0-6].*)'