|04-14-2014 01:26 AM|
The Heartbleed issue is actually worse than it might immediately seem (and it seems pretty bad already).
In case youíve been out of the loop, Heartbleed (CVE-2014-0160) is a vulnerability in OpenSSL that allows any remote user to dump some of the contents of the serverís memory. And yes, thatís really bad. The major concern is that a skilled user could craft an exploit that could dump the RSA private key that the server is using to communicate with its clients. The level of knowledge / skill required to craft this attack isnít particularly high, but likely out of reach for the average script kiddie user.
So why is Heartbleed worse than you think? Itís simple: the currently-available proof-of-concept scripts allow any client, anywhere in the world, to perform a session hijacking attack of a logged in user.
As of this morning, the most widely-shared proof-of-concept is this simple Python script: https://gist.github.com/takeshixx/10107280. With this script, anyone in the world can dump a bit of RAM from a vulnerable server.
Letís have a look at the output of this utility against a vulnerable server running the JIRA ticket tracking system. The hex output has been removed to improve readability.
[matt@laptop ~]# python heartbleed.py jira.XXXXXXXXXXX.com
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 66
... received message: type = 22, ver = 0302, length = 3239
... received message: type = 22, ver = 0302, length = 331
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
(lots of garbage)
WARNING: server returned more data than it should - server is vulnerable!
|04-14-2014 11:27 PM|
|the gist.github link doesn't work however.|
|04-19-2014 03:14 PM|
|script is uploaded by override! in code section name heartbleed.py|
|04-20-2014 04:29 PM|
|Could you elaborate on how to session hijack with heartbleed?﻿|
|04-20-2014 04:29 PM|
|Not server hijacking. I meant using heartbleed and the information you get from it to perform a session hijack to a user somewhere in the world.﻿|
|Jump to Forum:
Forum powered by fusionBoard