Tuesday 15 April 2014

Heartbleed - Hype or Holy S#it?!

There are many articles describing the Heartbleed vulnerability (CVE-2014-0160), best summed up by this XKCD comic http://xkcd.com/1354/

In short - If the target server is vulnerable, it will return chunks of information stored in memory that it shouldn't. From a security standpoint, this is really bad

Heartbleed has received a lot of media attention over the last week, a lot more than what the standard run-of-the-mill newfound exploit gets. But is it worth the hype? The majority of articles on the topic covered the theory and the resolution. So what about in practice? How easy would it be to successfully locate and exploit a server to obtain sensitive information?

In about 30 minutes I had myself an answer. Turns out it wasn't that hard at all.....


- Locate a target server, Google "Secure login", or "staff login", or similar. They're usually protected with SSL (HTTPS).

- Confirm the site is vulnerable to Heartbleed via any number of online testing sites.

- Download and compile publicly available exploit code on your platform of choice. (Kali Linux is a good choice)

- Run the exploit against the server, then 'strings' the output, searching for anything interesting.....

# strings out | grep password
browserName=Explorer&browserVersion=8&operatingSystem=Windows&userName=██████&password=██████&x=36&y=7@

user_id=███████&password=██████&browser=Microsoft+Internet+Explorer&browserName=Explorer&browserVersion=8&operatingSystem=WindowsR4




Done. Valid user names and passwords straight from a "secure target server" itself.

Note: This is probably the least technical example of how Heartbleed can be exploited in the real-world. This is just the tip of the iceberg. You can bet the professional cyber-crims are all over this like nothing else, and with an arsenal of tools at their disposal.

In theory AND in practice, Heartbleed is very, very serious. If a website you're responsible for is running a vulnerable version of OpenSSL you DO need to act. If you're a user, you'll need to ensure your host isn't vulnerable, then change your password(s)!

https://shanemiller.net/


No comments: