These services may be vulnerable:
Any service that runs OpenSSL and uses the STARTTLS method
The TOR client
SMTPS
IMAPS
Android OS
Postgres database
The Salt Stack cluster execution manager
Here's the original vulnerability:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
Here's the OpenSSL patch to the vulnerable portion of code:
https://github.com/openssl/openssl/commit/731f431497f463f3a2a97236fe0187b11c44aead
Here's a google search for all mentions of heartbeat (but not heartbleed) under github.com/openssl:
https://www.google.com/search?q=site%3Agithub.com%2Fopenssl+heartbeat&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
This is a search of github.com for heartbleed:
https://www.google.com/search?safe=off&q=site%3Agithub.com+heartbleed&oq=site%3Agithub.com+heartbleed
Here is a quick tool in Python to test for the vulnerability,
http://www.exploit-db.com/exploits/32745/
There's a great writeup at heartbleed.com which goes into detail about the issue. To quote their website:
We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.There is a metasploit script available for use:
https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/scanner/ssl
You can type this OpenSSL command (tested with gnuwin32 openssl binary version 1.0.1.6, dated 1/14/2014). By the way, this version does not have the -tlsextdebug parameter, perhaps it was compiled by the gnuwin32 team without this option.
s_client -connect a23-75-248-141.deploy.static.akamaitechnologies.com:443 -debug -state
Once connected type B and you'll see on a vulnerable host and you won't be disconnected:
B
HEARTBEATING
write to 0x801c17160 [0x801cbc003] (66 bytes => 66 (0x42))
0000 - 18 03 03 00 3d 8f 6f 3c-52 11 83 20 9c a2 c0 49 ....=.o 5 (0x5))
0000 - 18 03 03 00 3d ....=
read from 0x801c17160 [0x801cb7008] (61 bytes => 61 (0x3D))
0000 - 05 4d f5 c0 db 96 d1 f5-c7 07 e5 17 1f 3b 48 34 .M...........;H4
0010 - 6e 11 9d ba 10 0c 3a 34-eb 7b a5 7c c4 b6 c0 c0 n.....:4.{.|....
0020 - b0 75 0e fe b7 fa 9e 04-e9 4e 4a 7d 51 d3 11 1f .u.......NJ}Q...
0030 - e2 23 16 77 cb a6 e1 8e-77 84 2b f8 7f .#.w....w.+..
read R BLOCK
You will get a heartbeat response that looks similar to this one.On a patched host, you will see a response similar to below and you'll be disconnected:
Enter B
HEARTBEATING
write to 0x801818160 [0x8019d5803] (101 bytes => 101 (0x65))
0000 - 18 03 03 00 60 9c a3 1e-fc 3b 3f 1f 0e 3a fe 4c ....`....;?..:.L
0010 - a9 33 08 cc 3d 43 54 75-44 7d 2c 7b f3 47 b9 56 .3..=CTuD},{.G.V
0020 - 89 37 c1 43 1c 80 7b 87-66 ff cb 55 5f 8d 1a 95 .7.C..{.f..U_...
0030 - 1b 4c 65 14 21 a1 95 ac-7a 70 79 fc cc a0 cf 51 .Le.!...zpy....Q
0040 - 0f 7e c5 56 14 c8 37 c1-40 0b b8 cb 43 96 8a e6 .~.V..7.@...C...
0050 - 21 42 64 58 62 15 fb 51-82 e6 7f ef 21 1b 6f 87 !BdXb..Q....!.o.
0060 - b9 c2 04 c8 47 ....G
Here's my source for the OpenSSL s_client command above:
https://blog.ipredator.se/2014/04/how-to-test-if-your-openssl-heartbleeds.html
There's also these tools:
https://github.com/titanous/heartbleeder
Web based:
http://filippo.io/Heartbleed/
Test results of Alex top 1000 websites:
https://github.com/musalbas/heartbleed-masstest
Perhaps NSA introduced this bug into OpenSSL to be able to crack users of The Onion Router?
/Conspiracy Theory Mode
Update: Here's another tool which is supposedly more accurate:
http://possible.lv/tools/hb/
Update (10:37pm est 2014/04/09)
Packetstorm's files related to the vulnerability:
http://packetstormsecurity.com/files/cve/CVE-2014-0160
No comments:
Post a Comment