

Is a "Reverse Heartbleed" exploit possible to read the client's memory? - gcr

So here&#x27;s a question about the recently-discovered heartbleed OpenSSL bug.<p>Let&#x27;s say I connect to a server with Firefox&#x2F;Chrome. Could the server read the client&#x27;s memory and extract cookies&#x2F;history&#x2F;sessions for other sites the client visited?<p>I&#x27;m not sure if firefox or chrome link against OpenSSL, but that could also be pretty tricky.
======
qu4z-2
As far as I know both Firefox and Chrome link against libnss, not openssl, so
they would not be vulnerable to this bug.

More generally, it's my understanding that either end of a TLS connection can
send a heartbeat request, so clients using openssl would be vulnerable
(assuming they use an affected version, with heartbeat support).

~~~
cyphunk
Chrome:

a recursive search on the libraries linked to in Chrome on OSX shows that the
OSX system wide Address Book uses OpenSSL. Specifically LDAP. Here is the
dependency tree that leads to OpenSSL on OSX Mavericks:

    
    
         /Applications/Google Chrome.app/Contents/MacOS/Google Chrome
         /Applications/Google Chrome.app/Contents/Versions/34.0.1788.0/Google Chrome Framework.framework/Google Chrome Framework
         /System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook
         /System/Library/Frameworks/LDAP.framework/Versions/A/LDAP
         /usr/lib/libssl.0.9.8.dylib
         
         $ strings /usr/lib/libssl.0.9.8.dylib | egrep '^OpenSSL'
         OpenSSL 0.9.8y 5 Feb 2013
    

0.9.8 is not effected so Chrome on OSX should be fine. (src:
[https://www.cert.fi/en/reports/2014/vulnerability788210.html](https://www.cert.fi/en/reports/2014/vulnerability788210.html)
\-- versions 1.0.1 to 1.0.1f)

Safari:

A similar search of safari shows some inclusion of OpenSSL code in the system
wide Security.framework as a part of libsecurity_apple_csp. It is unlikely the
bug crossed over as the inclusion is limited.

    
    
         $ strings /System/Library/Frameworks/Security.framework/Versions/A/Security \
           | grep OpenSSL
         OpenSSL DH Method
         OpenSSL DSA method
    

Firefox:

On OSX it is using the same security framework as safari.

~~~
gcr
Thanks for the in-depth analysis! If it's not calling any OpenSSL functions, I
doubt it's vulnerable since then OpenSSL isn't managing the connection so it
couldn't receive any heartbeat effects.

