Web Flaws and Vulnerabilities

Heartbleed Vulnerability, Dissected

Blog Web Flaws and Vulnerabilities Heartbleed Vulnerability, Dissected
0 comments

Heartbleed in 2 words

It’s huge.

Heartbleed in a few words

Heartbleed take its name from Heartbeat, from where came the flaw, this big security flaw discovered the 8th april 2014.

This is in the SSL protocol (used by many sites and services in the world) that flaw permit to a hacker, in certain conditions, to extract passwords, secret keys, and other private informations.

How works this vulnerability

Without big details which can allows you to exploit it – the goal here is to inform – here comes how simply work this flaw using a heartbeat.

Heartbeat is a ping/pong with a tiny request asking if we are still connected to the server and not with an expired session, or even with a down server.

  • Your browser send a request to the server : “Server, I am Julio, are you there? If yes, send me “ACK” (this is 3 chars).”
  • The server receive your request and treat it : [Julio:ID21][Session:31fad3cb1acdbbadbef32efsdecf3b2c1][Asking:status][Status:OK][Private Transaction Key:c3ef5c4a5e5c3b1ce3ef2fa3c3b39e4d][Password Hash:cc3b1ce3eabcefa9456f2fa3c3b39e4d][Asked:3 chars:"ACK"][Sent:"ACK"].
  • The serveur keeps in memory, kind of log, your request and its response, you just received “ACK”, as expected, all is good for you.

Until now, nothing special, we just did 1 heartbeat. Let’s add some blood now …

  • You are now a hacker and you give to your browser a new data, he send now another request to the server : “Server, I am Julio, Are you there? If yes, send me “ACK” (this is 250 chats).” (cheater, 250!)
  • The server receive your request and treat it : [Julio:ID21][Session:31fad3cb1acdbbadbef32efsdecf3b2c1][Asking:Status][Status:OK][Private Transaction Key:c3ef5c4a5e5c3b1ce3ef2fa3c3b39e4d][Password Hash:cc3b1ce3eabcefa9456f2fa3c3b39e4d][Asked:250 lettres:"ACK"][Sent:"ACK[Admin:ID1][Session:d3cb1acdbbadbef32efsdecf98ce3b2c1][Asking:Status][Status:OK][Private Transaction Key:5c4a5e5c3b1ce3ef2fa3c3b39e498fcd][Password Hash:b1ce3eabcedfa9456f2fa3c3b398c9e4d][Asked:3 lettres:"ACK"][Sent:"ACK"][Marie:ID84]"].
  • The server read too far in its memory, he read the logs from other requests with their response, vous get “ACK”, followed by 247 other chars.

Do you understand? By asking more letters that he really sent, the serveur give us the asked number of letters, even if he has to overflow in the memory. He can now send us some other private informations from anywhere, any types, from users, sessions etc

So we get “ACK” but also a log from the last request, the one from the user “ADMIN” and even a bit of “MARIE”. The char limit seems to be 64000 … enought.

Protect-me!

Even if you browser is up to date, you can’t act here. Your website is up to date? Same thing. This is on your server.

You have to, if you got your own server, update the SSL library? If you’re using a shared hosting, your host will do the job.

Then you can check is you are (still) vulnerablehttp://filippo.io/Heartbleed/

0 comments

Leave a Reply