Heartbleed (Open SSL Bug) (IT Guys only)

[thorne]

I was curious how many of you have been dealing with this fun issue. And a reminder to update your servers!

 

http://heartbleed.com/

[ImUrOBGYN]

I'm aware of it. Not too worried at this point since I don't host servers, etc. Still, I'm waiting to see what sites I get an email from.

 

Have fun updating and redoing those certificates!

[mrhobbz]

Oh darn, I hope they don't get to my trash SVN on my webserver.. They might get some hello world java projects and horribly written python scripts

[EssFo]

Haven't seen anything as of yet, but for some reason two of my customers got hit with the Cryptolocker today.

[BIGGU]

Our servers here are fine. We are on a different version than the one effected thankfully.

[thorne]

BTW if you have a linux box or cygwin install running openssl version 1.0.1 you can test for this by doing the following.

 

openssl s_client --connect ip:port

once connect hit Captibal B if it says heartbeating and doesn't throw a error your probably vulnerable. There is also a python script out there that works well but it actually uses the payload and shows the 64k of memory.

 

I

Edited April 14, 2014 by Thorne

[thorne]

thorne@DizzyThizorn-MindCrizaft:~$ openssl s_client -connect localhost:443

CONNECTED(00000003)

depth=0 CN = DizzyThizorn-MindCrizaft

verify error:num=18:self signed certificate

verify return:1

depth=0 CN = DizzyThizorn-MindCrizaft

verify return:1

---

Certificate chain

0 s:/CN=DizzyThizorn-MindCrizaft

i:/CN=DizzyThizorn-MindCrizaft

---

Server certificate

-----BEGIN CERTIFICATE-----

MIICwjCCAaoCCQCgY7X2vKMhxTANBgkqhkiG9w0BAQUFADAjMSEwHwYDVQQDExhE

aXp6eVRoaXpvcm4tTWluZENyaXphZnQwHhcNMTQwNDEwMTYzNzQzWhcNMjQwNDA3

MTYzNzQzWjAjMSEwHwYDVQQDExhEaXp6eVRoaXpvcm4tTWluZENyaXphZnQwggEi

MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEjr63bSbbEEoNeVeEMaN+970u

2EXJmqZ1mlTmnip8JRAXbmZWiTi8jI3e+NgeGEje9fG1xtx+rQN/XGSuaSE5duUn

hg4l9bv+dU120oxdtzl2+e4JTK3wGPF5A/L1EL/lMKMdrcGQxmvrhC8lw8/jNepA

JVzOkB/dwH6+ZAox/oA4+QwLFdEggLkY1p1HdJWzaLb9U5EEGxS1RDqaKQXV3ODJ

cfkfir0+EZa8Bd9761uFQ89fWvtcuMVDt3Gjfn2l5fdyBOfrqC+sIGlRgLiKlkE5

qplCd3/kJYKTVhbTVAHzFZ3+IRjn0PoMAvZ/BESq5SiChKRKgdDITQAPOgs5AgMB

AAEwDQYJKoZIhvcNAQEFBQADggEBAIZpYU/Y+eW7xWkrMEzJSKEkWxjoK9hmPqD4

ug4TWRzF/+dCmv4ZSSgzkTtypDpSxo5U7idNkFStsTXZUd7tpE7J+kywMO4Oqqc0

AwIZE2xBseYQK1O9fVNPhVFX4CeFWEMeuxhgcRxydeU6dMDOwzRZAKuHMR+s5zqB

ZH1a33QA9lF6N3CwW5X28vwjzz1/dRdoi0RR6c1YfdmYxxTr+2tjW7FH7gN0BveQ

BqEP6sywPkP6P8dcQ50s/xcHrwJCNHXN75e+PPoxtLXiFuqKutb1z1Mhs2jd0sc5

DSuo7uLjKOnE0k4QIbqSIbxZJYU/GfCZXS7B/1n29WPvltg8Ukc=

-----END CERTIFICATE-----

subject=/CN=DizzyThizorn-MindCrizaft

issuer=/CN=DizzyThizorn-MindCrizaft

---

No client certificate CA names sent

---

SSL handshake has read 1609 bytes and written 439 bytes

---

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1.1

Cipher : DHE-RSA-AES256-SHA

Session-ID: 4E13D2F8A3F1E110627507ACE20C2EC8CFC9FBC6154C140DA6D9C618DC2A2822

Session-ID-ctx:

Master-Key: 9D3A3FCC243C1FF79A257CDBE51317C730A8012D063A540351F0A1ADF01FC385BA4D0EE11B830DAD9242C9C6F2005F29

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

TLS session ticket lifetime hint: 300 (seconds)

TLS session ticket:

0000 - 20 ad a6 f2 21 77 5d 83-c4 85 2f b5 16 b2 d2 a0 ...!w].../.....

0010 - e5 dd af a9 5d 94 79 15-be 6b 4e 9b af 7e 2b 77 ....].y..kN..~+w

0020 - 76 e3 a4 d8 41 86 e7 63-16 f1 c5 1d 0e 23 f6 04 v...A..c.....#..

0030 - 68 23 9b 06 31 e2 65 a8-58 c2 dc eb cf dc cf b6 h#..1.e.X.......

0040 - e5 f5 a7 17 48 19 c6 40-1d 54 e6 51 40 2a 01 e3 ....H..@.T.Q@*..

0050 - f1 52 e1 fd da 1f 78 56-90 e9 c2 db 67 4b ca 7f .R....xV....gK..

0060 - 32 79 e7 16 14 49 76 15-a8 8d f7 86 cb 9c 6d c5 2y...Iv.......m.

0070 - 38 e3 39 0d 92 fa 97 6e-cc 8f f3 2c 5d 11 16 45 8.9....n...,]..E

0080 - 74 f7 e8 34 00 8b 1e 10-f6 e7 a0 f0 23 23 5b e9 t..4........##[.

0090 - 52 b9 99 bf d4 64 66 9a-63 f9 26 19 8c 90 df 21 R....df.c.&....!

00a0 - d6 41 c5 1f 70 48 1d 64-f8 c7 ed e1 01 79 57 ce .A..pH.d.....yW.

00b0 - d3 53 5f 0a 3c 2b 25 a5-a7 af 4d 46 5c 4a f3 22 .S_.<+%...MF\J."

 

Start Time: 1397185164

Timeout : 300 (sec)

Verify return code: 18 (self signed certificate)

---

B

HEARTBEATING

read R BLOCK

closed

[Mensan]

Not an IT person, posting anyway.

 

LET THEM EAT CAKE!!!

 

[thorne]

Hahaha

[unfunnyryan]

patched my boxes, and I haven't been logging into anything significant in the last few days.

 

Also using lastpass, so unless someone has tried this against lastpass servers, they can fuck off.

[Akula]

Most of my colleagues and friends were hit by it. http://www.ssllabs.com has a test for it on their site.

 

I know that the bug has been out for a very long time and is extremely dangerous as you can dump private keys with it (shown in POC) as well as Usernames and Passwords.

[Veritas]

Was updating the linux boxes to our servers for it. We only have a couple outward facing things for the district anyways but it still caused a minor heart attack for the director of technology where I am.

[initzero]

I work for a local gov't and our IPS blocks about 80 attacks a day. I've also used the metasploit module to exploit heartbleed in my lab. Kinda scary stuff.