The OpenSSL Heartbeart bug: Two-thirds of Internet Users at Risk

What is the Heartbleed Bug?

The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet. OpenSSL is open-source software that is widely used to encrypt web communications. SSL/TLS is what normally provides secure and private communication over the Internet via websites, email, IM, and VPNs. According to CNET, an attacker can exploit Heartbleed to essentially “get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”
The versions of OpenSSL that are affected, version 1.0.1 and 1.02-beta release have been widely deployed for some time. The bug has been described as a program error, and a fix has been published for the 1.01 program in OpenSSL 1.01g. The bug was found in the heartbeat extension (RFC6520) of the Transport Layer Security/Datagram Transport Layer Security (TLS/DTLS) within the implementation on the affected OpenSSL versions. It is a straight, pure bug that unfortunately strikes at the ‘heart’ of web security, affecting that hearbeat extension, thus earning its name. According to security reports, research has produced some significant leaks.

In testing, attacks were able to be executed without leaving a trace. The tests were also able to steal X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication – all without any privileged information or any credentials.

Rapid7, makers of metasploit has updated metasploit with the exploit code. https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb


Testing

There are some very untested go and python open source scripts out there which you can use for a quick and dirty test for Heartbleed bug against the server you are auditing - https://github.com/titanous/heartbleeder/ and http://s3.jspenguin.org/ssltest.py respectively. You can also check for vulnerable sites at  http://filippo.io/Heartbleed/
 

Fix

Before you start thinking that the world is about to end due to this bleeding of hearts…there is hope i.e. fixed OpenSSL version 1.0.1g has been released.


Comments

Post a Comment

Popular posts from this blog

Red Teaming with Covenant and Donut

Image
Red Teaming has rapidly transitioned from Living off the Land (LotL) to Bringing Your Own Land (BYOL). It is now possible to execute .NET assemblies entirely within memory. By developing custom C#-based assemblies, attackers no longer need to rely on the tools present on the target system; they can instead write and deliver their own tools, a technique called Bring Your Own Land (BYOL).  This has led to transitions from PowerShell tools (e.g. PowerShell Empire) to frameworks targeted for .NET assemblies. {shamelessly copied from  https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html } About Covenant Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that
Read more

Pentesting Android applications

Image
Hi all, I would like to talk about the coolness of android applications. So if you want to perform a security review an android app, how will you go about it? There are so many ways to go about this, i will highlight some of the ways I use. 1) Most android applications work just like Web applications, they send out HTTP requests using POST and GET methods. So a cool thing to do is to intercept and capture these requests, make modifications and monitor responses (which can also be intercepted and modified). So how can this be done? A sweet way to achieve this is by proxying all traffic from the application on your phone through a proxy tool such as Burp Suite (coolest tool for me). Now how can you direct that phone traffic to your Burp Suite which is probably running on a laptop or system? Well, you can use a great android tool called "Proxy Droid" to direct the traffic to the IP address and port on which the burp suite is listening. You can connect them to the same wire
Read more

Covenant Task 101 - PPID Spoof Example

Image
Covenant is a great C2 tool for red teaming. I use it on most engagements as its in C# and easily extensible. This post was inspired by Rasta Mouse's Covenant 101  where he nicely described how to modify Covenant source to add a task. The purpose of this post is to leverage Rasta's post to further simplify the process especially for those new to Covenant. Ryan Cobbr, the main author of Covenant has already done a great job by adding a "Tasks" menu where an admin user can lists all tasks and modify their configurations. I will be be showing how I leveraged this in a recent engagement to bypass certain EDRs and AV behavioural signatures. Story Time Once upon a time, I was contracted to do a red teaming engagement for one of the World's leading pharmaceutical firms. Fast forward to when I crafted and had sent a neat phishing mail (embedded with a link to a malicious Word doc). Within 10 mins, about 9 users had clicked, and I had 9 grunts, however, the grunts we
Read more