Navigation
Follow us on
This area does not yet contain any content.
IT Security Incident DB, Australia/NZ
« HeartBreak - Examples of the Heartbleed being exploited. | Main
Tuesday
Apr082014

Testing for the TLS Heartbleed Vulnerability

HackLabs have performed some quick testing of the ASX Top 200 sites for site that could potentialy be exposed to the HeartBleed TLS vulnerability, We noted that about 10% of sites are vulnerable at the time of writing.

Some sites that were tested and found vulnerable earlier in the day appear to have been patched, which is great work by some busy sysadmins today.

 

WHY;

Some may dismiss this with who would bother? But with the various exploit code that we have reviewed and tested on our systems (which we have had exploitation permission for) we have been able to dump from the affected servers plain text Usernames and Passwords, Session Cookies of banking customers and other information that would at the least allow compromise of User Accounts etc. from the affected web applications running on the tested servers.

 

HOW;

To test whether the SSL service is vulnerable, a number of methods are available.

You can connect with openssl client with TLS debugging enabled and check whether the service reports the TLS server extension “heartbeat”

eg. openssl s_client -connect server.com:443 -tlsextdebug | grep “server extension”

or
echo -e "quit\n" | openssl s_client -connect server.com:443 -tlsextdebug 2>&1 | grep heartbeat


As of April 2014, www.google.com reported this server extension:

Refer: http://check.ssltool.com/www.google.com

[Date] => Tue, 08 Apr 2014 06:18:34 GMT
TLS server extension "heartbeat" (id=15), len=1

However the reporting of this TLS extension (or lack of it) does not mean the service is necessarily vulnerable. An online tester which actually implements the vulnerability is available here:

http://filippo.io/Heartbleed/ 

and a site can be submitted directly as follows:

http://heartbleed.filippo.io/bleed/www.google.com

If a response code of 0 = vulnerable, and returns leaked plaintext snippet demonstrating the injected “YELLOW SUBMARINE” string.

The Go source code to this tester is available here:
https://github.com/FiloSottile/Heartbleed

High profile sites that were reported today as vulnerable (which have now been fixed, apparently) include:
github.com
mail.yahoo.com
Amazon ELB

 


References (22)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: Freedom Mentor
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: Frank Dellaglio
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: freedom mentor
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: cheats
    [...]Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs[...]
  • Response
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: Steve Jacob
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: joseph chinnock
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: Nishan Kohli
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: Phil Pustejovsky
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: belinda broido
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: Joseph Chinnock
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: Frank Dellaglio
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: Steve Jacob
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: kick 2014
  • Response
  • Response
  • Response
    Response: xovilichter.co.in
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs
  • Response
    Response: xovilichter.co.in
    Testing for the TLS Heartbleed Vulnerability - Blog - HackLabs Penetration Testing Team - HackLabs

Reader Comments (2)

In the data in memory you have seen returned, have you yet seen anything identifiable as key material?

April 9, 2014 | Unregistered CommenterSean richmond
Hi Sean, Sorry for the delay. No at the time but now we have seen examples of others finding Key material.
April 28, 2014 | Registered CommenterHackLabs

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.