
Using Heartbleed PoC for Hijacking User Sessions En Masse - davis_m
https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions/
======
davis_m
Many people have commented on the legality of using this software. I didn't
think it needed pointing out that using this on servers you do not own is
strictly against the law. My only reasons for writing this is to show exactly
what can be done with the vulnerability and how scary it really is.

Many people have a vague understanding of how bad it is to lose a private key
that is used to sign SSL traffic, but showing that one is able to hijack
sessions en masse makes this vulnerability much easier to wrap our heads
around.

Don't be idiots out there.

~~~
eli
And at least in the US, it would likely violate a federal law that has
_disproportionately stiff prison sentences_.

------
peterwwillis
Big props to you Michael (and everyone else who helped produce this PoC) for
showing how completely fucking crazy this security hole is. I don't envy the
flack you'll get for it, but it really drives home the enormity of the
problem, and will force people to patch _much quicker_ than they would
normally. The only thing that gets companies to patch in less than a month is
a big fire under their ass.

------
revelation
This exploit as posted is suboptimal. If I understood the format of a
heartbeat message correctly, its one byte type followed by two bytes unchecked
length.

So if you want to maximize the data extracted with each connection, you should
send FF FF for length, instead of 0x0302 bytes as its requesting now (if n2s
is for network byte order to short).

~~~
quasque
It's requesting 0x4000 (16384) bytes. Here's what the bytes in the heartbeat
packet sent by the PoC mean:

    
    
        0x18       TLS content type:  heartbeat          [*]
        0x03 0x02  protocol version:  TLS 1.1            [RFC 4346, section A.1]
        0x01       message type:      heartbeat request  [RFC 6520, section 3]
        0x40 0x00  payload length:    16384 bytes        [RFC 6520, section 4]
    

This should be followed by a payload of that length, but if it isn't (as in
the PoC) the vulnerable versions of OpenSSL will then carve it out of the heap
to form the response packet - this is what leads to the data leakage.

[*] see [https://www.iana.org/assignments/tls-parameters/tls-
paramete...](https://www.iana.org/assignments/tls-parameters/tls-
parameters.xhtml#tls-parameters-5)

~~~
quasque
Just realised I accidentally deleted a line while I was reformatting, that
should read:

    
    
        0x18       TLS content type:  heartbeat          [*]
        0x03 0x02  protocol version:  TLS 1.1            [RFC 4346, section A.1]
        0x00 0x03  content length:    3 bytes            [RFC 4346, section A.1]
        0x01       message type:      heartbeat request  [RFC 6520, section 3]
        0x40 0x00  payload length:    16384 bytes        [RFC 6520, section 4]

------
dcc1
Ouch some very large sites have some very large holes in them right now!

------
neilwillgettoit
This is how you get sued and/or arrested.

~~~
cheald
Yeah, this crosses the line from "PoC" to "active exploit tool". Folks have
gone to prison for less.

~~~
davis_m
I am literally just parsing the output of the original PoC.

~~~
cheald
I get that, but the purpose of the script is now explicitly "steal user
sessions" rather than "proof-of-concept".

I wouldn't convict you, but if someone used this tool in a breach that was
embarrassing enough to the right person, I don't think a prosecutor would have
a very hard time convincing a judge that you were an evil hacker writing evil
hacker tools.

~~~
davis_m
Do you have the same feelings about the Rapid7 team? What about the guys at
Tenable? Heck, the Offensive Security guys are making an entire Linux distro
that is nothing more than "evil hacker tools". Surely there are countless
crimes committed with their software. Do you believe that all of them are in
the wrong.

I am not an exceptionally gifted programmer. This is a trivial change to the
original PoC to point out an additional attack vector. Pointing out that there
is more to this attack than leaked private keys is very important.

~~~
cheald
The line between whitehat pentester and blackhat cracker is very thin, of
course. They use the same tools and the same techniques; the differentiating
component is intent and target.

The title of your post is "Using Heartbleed PoC for Hijacking User Sessions En
Masse". Not "Your users' sessions are at risk", or "Heartbleed affects more
than private keys". The express intent of the published code is the theft of
user sessions. I know that _you_ probably don't have any intent to do Bad
Things with it, but if I was a prosecutor looking for someone to slap around
with the CFAA, you just threw up a giant neon "SUP BITCHES" sign.

The folks you mentioned all produce tools which are intended and marketed for
use by white-hat security professionals in the pre-emptive exploitation of
their own networks for the purposes of security. Yes, we all know that the Bad
Guys use Metasploit extensively to find and exploit machines, but if Rapid7
were positioning their tool as the premiere solution for pwnz3ring b0x3n, you
don't think they'd be in a legally different situation?

I never said you were wrong. In fact, my exact words were "I wouldn't convict
you" \- I really do get why you published this, and I don't think you're some
bad guy cackling to yourself from deep within your evil lair or anything.
However, we know from recent history that things less gray _have_ (unjustly,
IMO) in fact landed people in prison. It's not illegal to own a crowbar or
lockpicking set, but it's illegal to own one with the intent to commit
burglary. Intent matters, and they way you positioned your PoC is problematic
in that its stated intent is "mass hijacking", rather than "demonstration of
an additional security problem". I am not trying to say that there's anything
wrong with the code you've published - there isn't - but that the way you've
presented it is potentially problematic if it were to attract the wrong kind
of attention. That's all.

------
wc-
I'd imagine people have been charged with crimes for much less than what one
could attempt to charge this author with if some scriptkid uses this code and
causes damages.

I respect the author for wanting to be a part of the community contributing
code related to this event but some self-preservation might be in order...

~~~
davis_m
If this were true, the Rapid7 guys would have been in jail long ago. This
doesn't do anything more than the original PoC, but shows another reason for
administrators to update their machines.

