Share Thread:  
HEARTBLEED: Yes, the NSA and probably everyone else knows all your passwords
[Image: heartbleed_explanation.png]
On windows if you prefer to use the nginx web server instead of IIS or Apache, you might have brought over libssl.dll to get it to boot up:

(nginx is a web server that is getting a cult-like following among computer geeks because it is incredibly small but it can support millions of users, allowing you to cut the costs of hardware by huge factors)

I've already found one Java app in my company that was sitting on a compromised libSSL stack, but it uses libSSL to validate certificates on disk; it doesn't serve network traffic.
Every passing day I fight the urge to shoot the computer and put my phone in a clay pigeon thrower.

One of these days it's going to happen.

It's a good thing we're turning over control to the UN. Cretin4Gallery_7035_184_5926
"In 4 more OMao years you won't like how America looks....I guarantee it."
“When injustice becomes law, resistance becomes duty.” -- Thomas Jefferson
(04-10-2014, 11:40 PM)ArcticSplash Wrote: Wrong.

You don't need the server's private key to get at the data. You already have the server's public key and you sent the server your own public key for the server to pair up against the server's private key so you're already reading all the traffic from the server in plaintext anyway.

The bug is in TLS over the network socket. For the bug to "work", all you need to do is open any SSL/TLS session to a machine with the vulnerability and after the PX exchange (which most web browsers and web stacks already do), you then craft a garbage heartbeat message to keep-alive the SSL/TLS socket connection.

If the server is using 1.0.2 beta of OpenSSL or any release of 1.0.1-1.0.1f as the TLS stack, it will cause an overread of the memory location and the contents will be returned back to you encrypted using the certificate which you already have because you already exchanged keys with the server upon connecting.

Most TLS client stacks already take care of handling the crypto exchange for you and hand you a socket connection that auto-manages the TLS exchange for you so it appears to you exactly the same as an unsecured stack. All TLS stacks allow you to craft your own packets to send directly to the socket. In the OSI network model, TLS is usually level 5 on the stack or level 6 if it's all implemented in client software.

OpenSSL (libssl if you're looking at what to patch) source code is freely baked everywhere. Lots of embedded hardware runs it. I have a compromised printer in my house I can't do anything about it until Brother issues a firmware patch, but I don't send SecurePDF docs from my printer so I don't make use of the crypto shit the printer has on it. But it does answer port 443 and I already tested it for heartbleed and I was able to read some of the printer's memory.

Absolutely none of that helps you read data from somebody else's communications which was my point all together. You as an attacker still need to execute a man in the middle/spoof or packet sniffing to get at other traffic, which you could only read by obtaining the servers private key through the buffer overrun exploit caused by this bug. Executing said attack requires compromising a network through other means, which may be easy or difficult depending on circumstances.

The point is there isn't a free for all of encrypted password reading going on like what the media is reporting.
The law? The law is a human institution...
I was wrong. Arctic is right.
The law? The law is a human institution...

Possibly Related Threads...
Thread Author Replies Views Last Post
  NSA shooting spblademaker 3 939 04-03-2015, 11:52 AM
Last Post: ArcticSplash
  NSA Director: China can damage US power grid das 16 1,459 11-25-2014, 11:40 PM
Last Post: ArcticSplash
  NSA: "We saved you from a Chinese BIOS virus that would brick all PCs" ArcticSplash 20 2,474 12-19-2013, 05:26 PM
Last Post: kadar
  McAfee Founder To Launch New “NSA Killer” Privacy Device nomad 0 428 10-04-2013, 04:03 PM
Last Post: nomad
  Secretive DEA Surveillance Unit Makes NSA Look Like Happy Hour bucksco 0 416 08-05-2013, 05:39 PM
Last Post: bucksco

Users browsing this thread: 1 Guest(s)

Software by MyBB, © 2002-2015 MyBB Group.
Template by Modogodo Design.