Wednesday, April 9, 2014

Exploiting Heartbleed vulnerability

Seems the whole InfoSec world is talking about the Heartbleed (CVE2014-0160) vulnerability in OpenSSL the last 24 hours.  Being an empirical person I wanted to try it out for myself.  There is a patch available, but they take a long time to get deployed to many web servers.

The vulnerability is know to affect the main versions of OpenSSL and will also affect many appliances that use OpenSSL for securing web pages.  One important note is that other packages that depend on OpenSSL for keygen (e.g. OpenSSH) are not vulnerable by association as they do not use the TLS transportation protocol.  Also note that Windows is not affected by this vulnerability.

So I used a vulnerable AWS Linux AMI system with OpenSSL 1.0.1e installed.  OpenSSL is vulnerable up to and including this version.  I put up a dummy payment page in AWS using a previous demonstration and send some private information to the page such as you would with a payment in the Internet. It should be noted that AWS has requested users to patch their system and the patches are available for all AWS systems I have running.

I then ran the Python script from Jared Stafford found here. I've not been able to retrieve the session keys yet, but apparently others have. I did manage to get some user data out of my test site though which included all the variables from the "Customer Details" page above.

I ran the script against the IP address and retrieved differing results on different occasions. Currently I have the script running in a loop looking to see if it's just a brute force effort that's required to get the session key out. Have to wait and see for that.

Here's a sample of the output that shows the user data that was input into the web form. We can also see the URL as well as the browser user agent. More interestingly you can see the sensitive data that was sent in the "secure SSL browser session" in plain text (bottom right) without any interception, decoding, decrypting or authentication.

If anyone has some pointers on how to get the session key (which enables decryption of the session) please drop a note in the comments section. Would love to hear from you and get that working in the demo.


Post a Comment