SlideShare ist ein Scribd-Unternehmen logo

44cafe heart bleed

Als PPTX, PDF herunterladen
I
iphonepentest
TechnologieBildung
1 von 16
Exploitation notes on CVE-2014-0160
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Heartbleed <3 - The vulnerability is announced to the world 7th April 2014 by a website, OpenSSL Security Advisory and OpenSSL 1.0.1g release. - Discovered by Riku, Antti & Matti and Neel Mehta. - I searched the page for a web cart. - Shortly the next day …. - Jared Stafford released “ssltest.py” - Security community scrambled to fix.
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 RFC-6520 Heartbeat Extension Bug introduced to the world NYE 2011 during implementation of RFC-6520 in OpenSSL 1.0.1 Enabled by default in OpenSSL 1.0.1 Fixed in OpenSSL 1.0.1g & OpenSSL 1.0.2-beta1 still vulnerable – (git has fix.) If you run beta code on production servers…
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Vulnerability
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 How does it work?
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 How does it work?
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Let the games commence. Sites ranging from the FBI, Russian Standard Bank, Yahoo!, OpenSSL, Belgian Intelligence Service and many more shown as leaking data. - Screen shots of “ssltest.py” dumping 16384 bytes of heap memory began to appear on social media sites. The content’s of the memory were alarming. - IDS/IPS and Security vendors began to release detection signatures & scanners. - Media frenzy ensued spreading confusing information e.g. #HeartbleedVirus - The vulnerability was still not fully realized. Misconceptions abound.
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 On The Wire • This is an unencrypted heartbleed attack transmitted on the wire. • The response is returned in unencrypted packets.
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Attack SSL, Encrypt with SSL! • I wrote a stand-alone exploit in C using OpenSSL library to transmit the Heartbeat request in encrypted packet. • This was intentionally to bypass IPS/IDS signatures – it worked! • Encrypting attacks on OpenSSL with OpenSSL makes it difficult to detect…. • IDS/IPS vendors began to develop alternative detection signatures.
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 On The Wire • This is an encrypted heartbleed attack transmitted on the wire. • The response is returned in encrypted packets.
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Exploit Fails & Lessons • I continued to push updates during the exploit development process. • I learnt not to commit code changes late at night without review and testing… No, I am not *THAT* OpenSSL developer! • Internet is awesome, people began to submit compile instructions for different Linux platforms. Builds on most Linux/OS-X. • Ayman Sagy added needed DTLS support. • Re-use the code! Patches are welcome!
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 RSA Private Key Recovery • Cloudflare announce secret key challenge for heartbleed. • Provide nginx-1.5.13 web server linked against OpenSSL 1.0.1.f on Ubuntu 13.10 x86_64. • Fedor Indutny solved the challenge first, others quickly followed. • “include/openssl/rsa.h:struct rsa_st” holds RSA variables (p & q) in memory. • RSA n := pq. We can use n to calculate if prime in memory is valid. • Search for key size primes in memory leak and use to determine remaining prime from modulo n (q % n == 0) – with p & q we generate RSA private key.
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 RSA Private Key Recovery • Obtain certificate “openssl s_client -connect 192.168.11.23:443 < http- get.txt | grep BEGIN –A n > out.pem” • Improved “keyscan.py” by Einar Otto Stangvik to produce valid RSA private keys instead of counting primes. • Run “keyscan.py” on a memory dump to test possible values against the certificate modulus n to identify if modulo is 0. The value and its division result by n are checked and if primes we have p & q. • We then generate the RSA private key from the prime values. • Metasploit module also supports dumping private keys.
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Heartbleed.c • Exploit works against vulnerable OpenSSL servers and clients. • Leaks upto 65535 bytes of heap data and 16 bytes of random padding. • Can re-use connection. • STARTTLS support. • Multiple SSL protocols. • Multiple ciphers. • Saves leak to file.
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Demo Demo.
© 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Conclusions • CVE-2014-0160 will exist in appliances & infrastructure for some time. • Affected servers and devices should be considered compromised. • Your IDS/IPS cannot always save you. • Enable Perfect Forward Secrecy. • Enable Two-Factor Authentication (e.g. X.509). E-mail: matthew@mdsec.co.uk Twitter: @HackerFantastic https://github.com/hackerfantastic/public

Empfohlen

Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPSmohannadalhanahnah
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 

Empfohlen

Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPSmohannadalhanahnah
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
ios device protection review
ios device protection reviewios device protection review
ios device protection reviewnlog2n
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionveerababu penugonda(Mr-IoT)
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkPriyanka Aash
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewallmohannadalhanahnah
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Orbleaf: Integrated Smart Card Development Platform
Orbleaf: Integrated Smart Card Development PlatformOrbleaf: Integrated Smart Card Development Platform
Orbleaf: Integrated Smart Card Development PlatformTech in Asia ID
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentSergey Gordeychik
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open SourceBlack Duck by Synopsys
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisDigital Bond
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019Kondal Kolipaka
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Apache web-server-security
Apache web-server-securityApache web-server-security
Apache web-server-securityAndrew Carr
 
How to Contribute to Ansible
How to Contribute to AnsibleHow to Contribute to Ansible
How to Contribute to AnsibleCisco DevNet
 
WAFEC
WAFECWAFEC
WAFECConferencias FIST
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan KnudsenTI Safe
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 

Weitere ähnliche Inhalte

Was ist angesagt?

ios device protection review
ios device protection reviewios device protection review
ios device protection reviewnlog2n
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionveerababu penugonda(Mr-IoT)
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkPriyanka Aash
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Orbleaf: Integrated Smart Card Development Platform
Orbleaf: Integrated Smart Card Development PlatformOrbleaf: Integrated Smart Card Development Platform
Orbleaf: Integrated Smart Card Development PlatformTech in Asia ID
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentSergey Gordeychik
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisDigital Bond
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019Kondal Kolipaka
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Apache web-server-security
Apache web-server-securityApache web-server-security
Apache web-server-securityAndrew Carr
 
How to Contribute to Ansible
How to Contribute to AnsibleHow to Contribute to Ansible
How to Contribute to AnsibleCisco DevNet
 

Was ist angesagt? (20)

ios device protection review
ios device protection reviewios device protection review
ios device protection review
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Orbleaf: Integrated Smart Card Development Platform
Orbleaf: Integrated Smart Card Development PlatformOrbleaf: Integrated Smart Card Development Platform
Orbleaf: Integrated Smart Card Development Platform
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open Source
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability Analysis
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019
Eclipse Plugin for ESP-IDF - EclipseCon Europe 2019
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Apache web-server-security
Apache web-server-securityApache web-server-security
Apache web-server-security
 
How to Contribute to Ansible
How to Contribute to AnsibleHow to Contribute to Ansible
How to Contribute to Ansible
 
WAFEC
WAFECWAFEC
WAFEC
 

Ähnlich wie 44cafe heart bleed

[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan KnudsenTI Safe
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
Securing your Rails application
Securing your Rails applicationSecuring your Rails application
Securing your Rails applicationclucasKrof
 
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...NETWAYS
 
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)Andrew Carr
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerCiNPA Security SIG
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesImperva
 
Short Introduction of Implicit Conversion by TIS, Inc.
Short Introduction of Implicit Conversion by TIS, Inc.Short Introduction of Implicit Conversion by TIS, Inc.
Short Introduction of Implicit Conversion by TIS, Inc.scalaconfjp
 
Short Introduction of Implicit Converion (ScalaMatsuri2014 LT)
Short Introduction of Implicit Converion (ScalaMatsuri2014 LT)Short Introduction of Implicit Converion (ScalaMatsuri2014 LT)
Short Introduction of Implicit Converion (ScalaMatsuri2014 LT)Atsushi Oku
 
OpenStack in the Enterprise - Are You Ready? - Maish Saidel-Keesing
OpenStack in the Enterprise - Are You Ready? - Maish Saidel-KeesingOpenStack in the Enterprise - Are You Ready? - Maish Saidel-Keesing
OpenStack in the Enterprise - Are You Ready? - Maish Saidel-KeesingCloud Native Day Tel Aviv
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationPankaj Rane
 

Ähnlich wie 44cafe heart bleed (20)

[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
Securing your Rails application
Securing your Rails applicationSecuring your Rails application
Securing your Rails application
 
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...
OSDC 2014: Christopher Kunz - Software defined networking in an open-source c...
 
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
 
Short Introduction of Implicit Conversion by TIS, Inc.
Short Introduction of Implicit Conversion by TIS, Inc.Short Introduction of Implicit Conversion by TIS, Inc.
Short Introduction of Implicit Conversion by TIS, Inc.
 
Short Introduction of Implicit Converion (ScalaMatsuri2014 LT)
Short Introduction of Implicit Converion (ScalaMatsuri2014 LT)Short Introduction of Implicit Converion (ScalaMatsuri2014 LT)
Short Introduction of Implicit Converion (ScalaMatsuri2014 LT)
 
LibreSSL
LibreSSLLibreSSL
LibreSSL
 
OpenStack in the Enterprise - Are You Ready? - Maish Saidel-Keesing
OpenStack in the Enterprise - Are You Ready? - Maish Saidel-KeesingOpenStack in the Enterprise - Are You Ready? - Maish Saidel-Keesing
OpenStack in the Enterprise - Are You Ready? - Maish Saidel-Keesing
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013
 
How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstration
 

Kürzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

44cafe heart bleed

  • 1. Exploitation notes on CVE-2014-0160
  • 2. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Heartbleed <3 - The vulnerability is announced to the world 7th April 2014 by a website, OpenSSL Security Advisory and OpenSSL 1.0.1g release. - Discovered by Riku, Antti & Matti and Neel Mehta. - I searched the page for a web cart. - Shortly the next day …. - Jared Stafford released “ssltest.py” - Security community scrambled to fix.
  • 3. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 RFC-6520 Heartbeat Extension Bug introduced to the world NYE 2011 during implementation of RFC-6520 in OpenSSL 1.0.1 Enabled by default in OpenSSL 1.0.1 Fixed in OpenSSL 1.0.1g & OpenSSL 1.0.2-beta1 still vulnerable – (git has fix.) If you run beta code on production servers…
  • 4. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Vulnerability
  • 5. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 How does it work?
  • 6. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 How does it work?
  • 7. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Let the games commence. Sites ranging from the FBI, Russian Standard Bank, Yahoo!, OpenSSL, Belgian Intelligence Service and many more shown as leaking data. - Screen shots of “ssltest.py” dumping 16384 bytes of heap memory began to appear on social media sites. The content’s of the memory were alarming. - IDS/IPS and Security vendors began to release detection signatures & scanners. - Media frenzy ensued spreading confusing information e.g. #HeartbleedVirus - The vulnerability was still not fully realized. Misconceptions abound.
  • 8. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 On The Wire • This is an unencrypted heartbleed attack transmitted on the wire. • The response is returned in unencrypted packets.
  • 9. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Attack SSL, Encrypt with SSL! • I wrote a stand-alone exploit in C using OpenSSL library to transmit the Heartbeat request in encrypted packet. • This was intentionally to bypass IPS/IDS signatures – it worked! • Encrypting attacks on OpenSSL with OpenSSL makes it difficult to detect…. • IDS/IPS vendors began to develop alternative detection signatures.
  • 10. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 On The Wire • This is an encrypted heartbleed attack transmitted on the wire. • The response is returned in encrypted packets.
  • 11. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Exploit Fails & Lessons • I continued to push updates during the exploit development process. • I learnt not to commit code changes late at night without review and testing… No, I am not *THAT* OpenSSL developer! • Internet is awesome, people began to submit compile instructions for different Linux platforms. Builds on most Linux/OS-X. • Ayman Sagy added needed DTLS support. • Re-use the code! Patches are welcome!
  • 12. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 RSA Private Key Recovery • Cloudflare announce secret key challenge for heartbleed. • Provide nginx-1.5.13 web server linked against OpenSSL 1.0.1.f on Ubuntu 13.10 x86_64. • Fedor Indutny solved the challenge first, others quickly followed. • “include/openssl/rsa.h:struct rsa_st” holds RSA variables (p & q) in memory. • RSA n := pq. We can use n to calculate if prime in memory is valid. • Search for key size primes in memory leak and use to determine remaining prime from modulo n (q % n == 0) – with p & q we generate RSA private key.
  • 13. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 RSA Private Key Recovery • Obtain certificate “openssl s_client -connect 192.168.11.23:443 < http- get.txt | grep BEGIN –A n > out.pem” • Improved “keyscan.py” by Einar Otto Stangvik to produce valid RSA private keys instead of counting primes. • Run “keyscan.py” on a memory dump to test possible values against the certificate modulus n to identify if modulo is 0. The value and its division result by n are checked and if primes we have p & q. • We then generate the RSA private key from the prime values. • Metasploit module also supports dumping private keys.
  • 14. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Heartbleed.c • Exploit works against vulnerable OpenSSL servers and clients. • Leaks upto 65535 bytes of heap data and 16 bytes of random padding. • Can re-use connection. • STARTTLS support. • Multiple SSL protocols. • Multiple ciphers. • Saves leak to file.
  • 15. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Demo Demo.
  • 16. © 2014 MDSec Consulting Ltd. All rights reserved. Exploitation notes on CVE-2014-0160 Conclusions • CVE-2014-0160 will exist in appliances & infrastructure for some time. • Affected servers and devices should be considered compromised. • Your IDS/IPS cannot always save you. • Enable Perfect Forward Secrecy. • Enable Two-Factor Authentication (e.g. X.509). E-mail: matthew@mdsec.co.uk Twitter: @HackerFantastic https://github.com/hackerfantastic/public