Tuesday, April 8, 2014

Exploiting the Heartbleed vulnerability CVE-2014-0160

     Heartbleed is a vulnerability in OpenSSL versions prior to 1.0.1g. Only the 1.0.1 version of OpenSSL prior to 1.0.1f are affected by this vulnerability. The problem exists in a heartbeat extension that when exploited causes random blocks of memory to be disclosed. The content that may be disclosed that is of particular interest include SSL private keys, session cookies, etc. The CVE assigned to this vulnerability is CVE-2014-0160. To understand how this exploit works I have included a Creative Commons licensed comic created by the folks at xkcd.com.

In order to exploit this vulnerability you're going to want to grab a copy of ssltest.py. For simplicity's sake you can execute the following command to grab the file:
wget https://gist.githubusercontent.com/sh1n0b1/10100394/raw/4f24ff250124a03ad2d3d6010b6402c3a483d2f3/ssltest.py
This file requires Python 2.7 to run, it will not work in Python 3. To execute the program on the command line first:
chmod +x ssltest.py
Simply supply the hostname or IP address of the server you wish to test for the vulnerability. By default the application does target port 443 if you do not specify a port. Once run the application will either return "No heartbeat response received, server likely not vulnerable" or it will dump the contents of the memory with the message "Warning: server returned more data then it should - server is vulnerable!" You may or may not find any interesting data in the dump the first time you run the application, this obviously depends upon whether or not anyone else is interacting with the server when you attemp the exploit, and which chunk of memory the server spits back to you. The exploit can be run continuously until you get the data you are looking for, whether it is session information or the private key of the SSL server. The interesting part is that none of these attacks are logged at the server level, because a complete connection is never made to the server. Thus these type of attacks are hard to see from the perspective of the host itself. There are some ways to detect these attacks using network protocol analysis and IDS/IPS may detect these if there is a signature for the attack.

A Metasploit module has been released to exploit heartbleed. It can be found in metasploit's auxiliary/scanner/ssl/openssl_heartbleed.

URL: http://www.rapid7.com/db/modules/auxiliary/scanner/ssl/openssl_heartbleed

Addition URL's for further info: