Heartbleed OpenSSL Vulnerability (Important!)

#11
(2014-04-10 21:46:46)Bowlinmaster Wrote:  I'm going with that this bug is very over dramatized... but that's just me.

Nope. Srs bizniz.

Basically the exploit allows you to access the memory of a server running Vulnerable versions of OpenSSL (about 2 years of past versions). What makes this bug so prolific is the fact you require no access or elevated permissions to be able to exploit it, where as many other bugs you probably would need at least some form of access to the server.

Whats stored in the memory? All the unencrypted data that OpenSSL is currently running, or infact anything running on the system.

Its known as an under-buffer attack. You'll send the server a string of X bytes, but tell it it is actually Z bytes. When the server responds it will pull data from the memory to fill up the empty bytes. That data it has pulled could be anything in the system memory at the time, doesn't even need to be related to the OpenSSL process. Private SSL Keys, passwords, entropy, anything at all. Its a C thing.
@iWader on Twitter.
2


Messages In This Thread
RE: Heartbleed OpenSSL Vulnerability (Important!) - by Wader - 2014-04-11 08:23:11

Possibly Related Threads…
Thread Author Replies Views Last Post
  Meltdown Vulnerability Maintenance Downfall 0 1,748 2018-01-16 00:52:27
Last Post: Downfall
  Important Notice Downfall 18 16,245 2011-10-06 21:08:54
Last Post: Random Dandy

Forum Jump:


Users browsing this thread: 1 Guest(s)