What kind of data does Heartbleed receive?
https://stackoverflow.com//questions/23012262
-
21-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian質問
I have been playing with the Python implementation of Heartbleed on a couple of servers and got all sorts of data in response.
Amongst the data received, I have seen:
- Cookies values (SESSIONID, etc)
- Random characters that make no sense
- HTML
- ...?
I know I'm being a script kiddie here but anyway, I was wondering where this data comes from (RAM?) what apps put the data there (apache? openSSL?) and generally hoping to get a broader picture of what is going on.
Any help?
解決
According to heartbleed.com, a vulnerable machine can leak 64kb of memory contents per heartbeat request, but an attacker can make those requests arbitrarily many times. I've seen comments to the effect that an attacker could theoretically recover enough data to fully reconstruct the RAM contents of the target machine - or, at least, however much of it Apache (or whichever program is involved in the SSL session) could see. That can include, for example, cookies, files that are being served, and from data coming in - especially usernames and passwords.
One particular problem is that any process doing SSL needs to have enough information to decrypt incoming data and sign outgoing data - that is to say, the private key. Leaking that opens you to MITM attacks and potentially (not always) retrospective decryption of intercepted data. The potential for keys to leak undetected is why the advised response is to patch OpenSSL and then rekey - patching OpenSSL protects you against future attacks, but you have no way of knowing whether your encryption keys are already compromised.
他のヒント
Here's an explaination by Jacob originally posted on Superuser:
In RFC 5246, which set the standards for Transport Layer Security (TLS), there is a function known as a heartbeat. The client and server send some data back and forth to keep the connection alive so that it can be used later. Now in practice the client will send some data and the server will just send it back, and everything is great. However in the affected OpenSSL versions there is no check to see if the client actually sent the amount of data that it did. So if I send it 1B and tell the server that I actually sent it 64kB then it is going to happily send me back 64kB. Where do those other Bytes come from? That's the key right there. OpenSSL is going to send you back 64kB-1B of memory that the process has access to and that you originally didn't send, depending on where your 1B is stored. These extra Bytes from memory are the problem as they can contain valuable information such as Private key material and information that the server is decrypting to use. Examples of this would be: passwords, credit card information, and/or PINs.
