or Register
  Surreal Forums Surreal Surreal News Archived News v / Heartbleed OpenSSL Vulnerability (Important!)
Heartbleed OpenSSL Vulnerability (Important!)

Wader iWader 2983
of house Surreal
Senior Member
307
  1,695
#11
2014-04-11 08:23:11
(2014-04-10 21:46:46)Bowlinmaster Wrote:  I'm going with that this bug is very over dramatized... but that's just me.

Nope. Srs bizniz.

Basically the exploit allows you to access the memory of a server running Vulnerable versions of OpenSSL (about 2 years of past versions). What makes this bug so prolific is the fact you require no access or elevated permissions to be able to exploit it, where as many other bugs you probably would need at least some form of access to the server.

Whats stored in the memory? All the unencrypted data that OpenSSL is currently running, or infact anything running on the system.

Its known as an under-buffer attack. You'll send the server a string of X bytes, but tell it it is actually Z bytes. When the server responds it will pull data from the memory to fill up the empty bytes. That data it has pulled could be anything in the system memory at the time, doesn't even need to be related to the OpenSSL process. Private SSL Keys, passwords, entropy, anything at all. Its a C thing.
@iWader on Twitter.
2
Website
Wader iWader 2983
of house Surreal
Senior Member
307
  1,695
#12
2014-04-11 10:32:56
XKCD posted an image illustrating heartbleed this morning

[Image: heartbleed_explanation.png]
@iWader on Twitter.
0
Website
Bowlinmaster Bowlinmaster
is not amused
Honoured
304
  1,404
#13
2014-04-11 18:40:19
(2014-04-11 08:23:11)Wader Wrote:  
(2014-04-10 21:46:46)Bowlinmaster Wrote:  I'm going with that this bug is very over dramatized... but that's just me.

Nope. Srs bizniz.

Basically the exploit allows you to access the memory of a server running Vulnerable versions of OpenSSL (about 2 years of past versions). What makes this bug so prolific is the fact you require no access or elevated permissions to be able to exploit it, where as many other bugs you probably would need at least some form of access to the server.

Whats stored in the memory? All the unencrypted data that OpenSSL is currently running, or infact anything running on the system.

Its known as an under-buffer attack. You'll send the server a string of X bytes, but tell it it is actually Z bytes. When the server responds it will pull data from the memory to fill up the empty bytes. That data it has pulled could be anything in the system memory at the time, doesn't even need to be related to the OpenSSL process. Private SSL Keys, passwords, entropy, anything at all. Its a C thing.

Oh I know what it is, I'm just saying it was patched on meaningful servers before anybody could probably exploit. Of course there's no way to tell, that's just what I think.
Is the glass half empty or half full? Neither, the glass is twice as big as it needs to be.
[Image: EW4yt.gif]
0
nP Predator nP Predator
Trainee Surrealian
Rankless (With PM)
1
  23
#14
2014-04-19 19:29:16
Hey if any one is still interested there is a really good expiation of exactly why and how this bug happened.
http://vimeo.com/91425662
0
Website
Bowlinmaster Bowlinmaster
is not amused
Honoured
304
  1,404
#15
2014-04-20 05:29:17
[Image: heartbleed_explanation.png]
Is the glass half empty or half full? Neither, the glass is twice as big as it needs to be.
[Image: EW4yt.gif]
0


Possibly Related Threads…
Thread Author Replies Views Last Post
  Meltdown Vulnerability Maintenance Downfall 0 1,548 2018-01-16 00:52:27
Last Post: Downfall
  Important Notice Downfall 18 14,714 2011-10-06 21:08:54
Last Post: Random Dandy

Forum Jump:


Users browsing this thread: 1 Guest(s)