Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

President Barack Obama has explicitly decided that when any federal agency discovers a vulnerability in online security, the agency should come forward rather than exploit it for intelligence purposes, according to The New York Times, citing unnamed “senior administration officials.”

However, while there is now a stated “bias” towards disclosure, Obama also created a massive exception to this policy if "there is a clear national security or law enforcement need."

The report comes just one day after the Office of the Director of National Intelligence (ODNI) responded to a Bloomberg News report. ODNI denied that story, explicitly stating that the “NSA or any other part of the government” had no prior knowledge of the notorious Heartbleed vulnerability that has wreaked havoc across the Internet.

Read 4 remaining paragraphs | Comments

 

I wanted to know if the tools/software I execute regularly are vulnerable to scraping my system memory.  Now the reverse heartbleed scenario is very possible, but the likelihood seems to be much more of a non-issue.  

Seeing is still believing in my book.  So I set out to see what the interweb world was doing to test this out.  There are some very reputable services/organizations out there offering up a fresh url to the reverse heartbleed and others offering to 'test' a given url.   These are a black box.  Trust is hard to earn at times, especially when you are dealing with an exploit like this one.  I wanted to see source code, or at least pseudocode so I could craft my own.  I found a script out there called Pacemaker [1] that was written and provided by Peter Wu.  I liked it because it was transparent, simple, and it can be used exclusively under my control (the ultimate first step of developing trust).

So simple, I was able to review it for harm and function, and cut and paste it into vi.  Escape, write, quit, and I was off and running.   Basically it works like a simple webserver, very simple.  The script is executed and listens on port 4433.  You point your client software at it with a localhost url and the server script reports on STDOUT what it finds.  

I did not have any vulnerable client software readily available to give a whirl, but I did try all my curl and wget installs that I use regularly.   I also hit it with Chrome and Safari to see the error messages.

Here is what I tested with it.

wget 1.11.4:  

Connection from: 10.0.0.11:60401
Unable to check for vulnerability: SSL 2.0 clients cannot be tested
 
curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5:
 
Connection from: 10.0.0.11:60418
Got Alert, level=Fatal, description=40
Not vulnerable! (Heartbeats disabled or not OpenSSL)
 
curl 7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5:
 
Connection from: 127.0.0.1:59451
Possibly not vulnerable
 
Chrome 34.0.1847.116:

Connection from: 127.0.0.1:59490
Got Alert, level=Fatal, description=47
Not vulnerable! (Heartbeats disabled or not OpenSSL)
 

I am interested in seeing more output from known vulnerable client software.  Feel free to give this a ride and share your results.  If I get a chance to spin out a new VM with some vulnerable OpenSSL on it today, then I will share my experiences too.

 

[1]   https://github.com/Lekensteyn/pacemaker


-Kevin
--
ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status