Surreal Forums
Heartbleed OpenSSL Vulnerability (Important!) - Printable Version

+- Surreal Forums (https://board.clansurreal.com)
+-- Forum: Surreal (https://board.clansurreal.com/forum-1.html)
+--- Forum: Surreal News (https://board.clansurreal.com/forum-2.html)
+---- Forum: Archived News (https://board.clansurreal.com/forum-24.html)
+---- Thread: Heartbleed OpenSSL Vulnerability (Important!) (/thread-7445.html)

Pages: 1 2


RE: Heartbleed OpenSSL Vulnerability (Important!) - Wader - 2014-04-11

(2014-04-10 21:46:46)Bowlinmaster Wrote:  I'm going with that this bug is very over dramatized... but that's just me.

Nope. Srs bizniz.

Basically the exploit allows you to access the memory of a server running Vulnerable versions of OpenSSL (about 2 years of past versions). What makes this bug so prolific is the fact you require no access or elevated permissions to be able to exploit it, where as many other bugs you probably would need at least some form of access to the server.

Whats stored in the memory? All the unencrypted data that OpenSSL is currently running, or infact anything running on the system.

Its known as an under-buffer attack. You'll send the server a string of X bytes, but tell it it is actually Z bytes. When the server responds it will pull data from the memory to fill up the empty bytes. That data it has pulled could be anything in the system memory at the time, doesn't even need to be related to the OpenSSL process. Private SSL Keys, passwords, entropy, anything at all. Its a C thing.


RE: Heartbleed OpenSSL Vulnerability (Important!) - Wader - 2014-04-11

XKCD posted an image illustrating heartbleed this morning

[Image: heartbleed_explanation.png]


RE: Heartbleed OpenSSL Vulnerability (Important!) - Bowlinmaster - 2014-04-11

(2014-04-11 08:23:11)Wader Wrote:  
(2014-04-10 21:46:46)Bowlinmaster Wrote:  I'm going with that this bug is very over dramatized... but that's just me.

Nope. Srs bizniz.

Basically the exploit allows you to access the memory of a server running Vulnerable versions of OpenSSL (about 2 years of past versions). What makes this bug so prolific is the fact you require no access or elevated permissions to be able to exploit it, where as many other bugs you probably would need at least some form of access to the server.

Whats stored in the memory? All the unencrypted data that OpenSSL is currently running, or infact anything running on the system.

Its known as an under-buffer attack. You'll send the server a string of X bytes, but tell it it is actually Z bytes. When the server responds it will pull data from the memory to fill up the empty bytes. That data it has pulled could be anything in the system memory at the time, doesn't even need to be related to the OpenSSL process. Private SSL Keys, passwords, entropy, anything at all. Its a C thing.

Oh I know what it is, I'm just saying it was patched on meaningful servers before anybody could probably exploit. Of course there's no way to tell, that's just what I think.


RE: Heartbleed OpenSSL Vulnerability (Important!) - nP Predator - 2014-04-19

Hey if any one is still interested there is a really good expiation of exactly why and how this bug happened.
http://vimeo.com/91425662


RE: Heartbleed OpenSSL Vulnerability (Important!) - Bowlinmaster - 2014-04-20

[Image: heartbleed_explanation.png]