legal contact rss
 

heartbleed

The History of heartbleed (as per wiki)

"The Heartbeat Extension for the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols was proposed as a standard in February 2012 by RFC 6520.[21] It provides a way to test and keep alive secure communication links without the need to renegotiate the connection each time. In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers. Henson failed to notice a bug in Seggelmann's implementation, and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The flaw spread with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable."

http://en.wikipedia.org/wiki/Heartbleed

heartbleed was a really cool vuln.

While using a well known protocoll function, it was very, very hard to detect.

Easy to use and massive in the outcome. - You could retrieve the memory (incl. sensitive, decrypted information from the crypto procces on the server)

The key was to "tell" your attacked host, that "he" did not send enough padding information. The crypto process (openssl) then took 64byte of "random" data to pad and sent this to the attacker. - The only problem was, that the random data was not so random at all. Openssl just grabed 64byte of RAM it found at a certain place within his crypto process.

Unfortunately this area very often held secret keys, usernames and passwords that were (decrypted) still avaialble in RAM.

Cool, isn't it ?!