Thursday
Apr102014

HeartBreak - Examples of the Heartbleed being exploited.

Backround

Researchers recently discovered a serious flaw in the implementation of OpenSSL. The Flaw, which discloses memory contents of session data has led to some panic within the industry and rightly so. OpenSSL bug CVE 2014-0160, better known as heartbleed, effectively works by allowing the encryption session to transmit a small packet known as a “heartbeat” that requests a response to acknowledge that the endpoint is still alive. If a malformed heartbeat request is sent to a vulnerable service it responds back with a chunk of 64KB of system memory. Further information can be found here.

 

Examples

In a recent penetration test, Richard Brown from HackLabs used this attack vector and found explicit examples of why this vulnerability is so serious. Firstly due to the limitation of the 64KB in a single request a bash wrapper was written that iterated over a large loop and formatted the data to remove any hexadecimal.

From this point all sorts of combinations of regex/grep and strings were tried, however a simpler approach was used which was utilizing a good hex editor such as WinHex’s gather text function. This reduced the file size and contents dramatically and was easily analyzed.

Here only snippets have been displayed, however this is a example on the type of information leaked. This is displayed in the following image where user credentials hashes were revealed from a vulnerable server:

 

Other details such as session id’s and URL’s visited were also obtained as displayed in the following unformatted dataset:

 

 

Obtaining information as illustrated in the above examples poses one of the most serious threats to the public Internet in recent history. Usernames, passwords, credit card data or any sensitive information transmitted over the OpenSSL protocol {can be disclosed with readily available tools | since the disclosure of the bug at 0300 GMT on the 8th of April can be reasonably assumed as being compromised}.

 

Tuesday
Apr082014

Testing for the TLS Heartbleed Vulnerability

HackLabs have performed some quick testing of the ASX Top 200 sites for site that could potentialy be exposed to the HeartBleed TLS vulnerability, We noted that about 10% of sites are vulnerable at the time of writing.

Some sites that were tested and found vulnerable earlier in the day appear to have been patched, which is great work by some busy sysadmins today.

 

WHY;

Some may dismiss this with who would bother? But with the various exploit code that we have reviewed and tested on our systems (which we have had exploitation permission for) we have been able to dump from the affected servers plain text Usernames and Passwords, Session Cookies of banking customers and other information that would at the least allow compromise of User Accounts etc. from the affected web applications running on the tested servers.

 

HOW;

To test whether the SSL service is vulnerable, a number of methods are available.

You can connect with openssl client with TLS debugging enabled and check whether the service reports the TLS server extension “heartbeat”

eg. openssl s_client -connect server.com:443 -tlsextdebug | grep “server extension”

or
echo -e "quit\n" | openssl s_client -connect server.com:443 -tlsextdebug 2>&1 | grep heartbeat


As of April 2014, www.google.com reported this server extension:

Refer: http://check.ssltool.com/www.google.com

[Date] => Tue, 08 Apr 2014 06:18:34 GMT
TLS server extension "heartbeat" (id=15), len=1

However the reporting of this TLS extension (or lack of it) does not mean the service is necessarily vulnerable. An online tester which actually implements the vulnerability is available here:

http://filippo.io/Heartbleed/ 

and a site can be submitted directly as follows:

http://heartbleed.filippo.io/bleed/www.google.com

If a response code of 0 = vulnerable, and returns leaked plaintext snippet demonstrating the injected “YELLOW SUBMARINE” string.

The Go source code to this tester is available here:
https://github.com/FiloSottile/Heartbleed

High profile sites that were reported today as vulnerable (which have now been fixed, apparently) include:
github.com
mail.yahoo.com
Amazon ELB