Thursday, September 25

ShellShock Basics - Updated Oct 1st

Update 2 - October 1st: As expected still lots going on;

As the mainstream media attempts to make sense of all the hype surrounding the latest security vulnerability, IT support staff are left to try to make sense of it all and determine what if anything needs to be done.

Background: Bash (aka Bourne-again Shell) is used as an interactive shell on most Unix-like operating systems.  It comes by default on many popular distributions such as Ubuntu, OSX, and other Linux platforms.

The bug:  One feature of the shell is to allow a user to set environment variables, unfortunately the bash shell does a poor job of interpreting these values and if the right sequence of characters is used, extra commands can be executed.
Exploitation:  By simply injecting extra code that will get passed to bash it will get executed in the context of the process reading it.  This happens as soon as the environment variables are read by bash.
Am I vulnerable:  Any software that you use that reads environment variables from untrusted, unauthenticated inputs should be examined.  Example if a CGI script parses HTTP headers.  It is prudent to review all of your public interfaces for potential exposure.  Use the Cert list to see if your vendors are listed and get a link to the specific advisory.
  • CERT List of Vendors Affected - http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=252743&SearchOrder=4
  • Nmap tests
  • Masscan tests
Is it patched yet:  There are numerous vendors affected.  Many of the major vendors were informed about the bug prior to release to prepare patches, some have patches that work, others do not.  Basic patches have been released.
What else should I do:  Monitor requests (in the past if you have the capability) this will tell you if people are attempting to exploit you.  Look for signatures that have been released by Sourcefire, BroIDS and other IDS vendors.  If you can look at past traffic captures then you might be able to determine if you had been a target prior to the bug's disclosure.
Monitor the situation closely, it is likely that there will be details of the specific applications and software affected as well as other mitigations that can be taken until robust patches are released.


Thursday, May 1

Testing the CVE2014-0160 HeartBleed Attack - Part I

This is part one of a multi-part series associated with the HeartBleed vulnerability.  This part deals with getting your environment setup with a vulnerable SSL webserver (using Kali Linux), and the client software used to test for and exploit it.

Setup the vulnerable web server.

Kali Linux already has apache installed, so simply enable the SSL mod, create a directory to hold the key material, generate the private key and ssl cert, and restart the server to

sudo a2enmod ssl
sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
sudo openssl req -x509 -nodes - days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/webserver.key -out /etc/apache2/ssl/webserver.crt

Then you'll need to edit the ssl site configuration to enable it for your ip address (not the one below).

vi /etc/apache2/sites-available/default-ssl
Add the information for your server.

ServerName 192.168.4.134:443

and change the following lines to use the newly generated key material:

SSLCertificateFile /etc/apache2/ssl/webserver.crt
SSLCertificateKeyFile /etc/apache2/ssl/webserver.key

Then restart the apache server

sudo service apache2 restart

And test the server using a web browser:


Your browser should still complain about the self-signed cert.

Install the HeartBleed test software:

To test for / exploit the vulnerability I'm initially using the python test code here: https://gist.github.com/takeshixx/10107280

git clone https://gist.github.com/takeshixx/10107280
cd 10107280
python hb-test.py 192.168.4.134|more



Great I can confirm that I have been able to extract data from the vulnerable OpenSSL library.  But the returned data doesn't make much sense.

Many people have been kind enough to release tools that take the exploitation a step further.  Robert David Graham @erratarob released the heartleech tool as a response to the cloudflare challenge.  This tool provides a bunch of extra features including;

  • Automated extraction of mass amounts of memory
  • Automated retrieval of private keys
  • Limited IDS evasion (most signature based IDS products)
  • STARTTLS (email server library)

Building the binary on OSX 10.9 is fairly easy but you need to download and compile the OpenSSL library as documented in Robert's instructions.  Once built simply run it against the site in question;


Extract and Use the Private Key:

Good, it reports it as vulnerable.  Now lets try to extract the private key.


Very quickly it came back with the key material, now I could create a new server certificate using this private key and impersonate the server.  Which should match the one on the vulnerable web server.


Now with the private key extracted, I can create a message and encrypt it with the extracted private key, and verify the signature using the certificate that I got from the web server.


Very good work by @erratarob on the speed of getting a tool like this out publicly, I should have a new post soon with results of testing the IDS evasion functionality soon.





Monday, April 14

Edmonton HeartBleed Information Session - April 16th, Royal Glenora Club

Since the latest major OpenSSL vulnerability was publicly disclosed, many people and organizations are scrambling to understand, respond and prepare themselves for the future. 
Twitter, vendor support channels and media outlets have been quick to cover different angles of the issue but there has been overwhelming amount  of information released.

With all this information, it can be difficult to understand what's relevant.  To help clarify we holding a special ISACA sponsored 2-hour session on Wednesday, April 16th, starting at 12:00pm at the Royal Glenora Club.  

Benoit and I will be attempting to explain as much of the issue as we can from a technical and non-technical perspective, discussing the vulnerability, its scope with relation to our personal and professional lives and other related concerns such as our trust in the public PKI system.  The second hour we will be an interactive discussion about how others are dealing with problem, questions about related topics, and peer discussions.

We encourage you to attend and invite others that you think might benefit from this session. Space is limited to approximately 50 people on a first-come first-serve basis.  Please have lunch before you arrive as no food will be served.

We'll make our presentation available after the session, and as always you are welcome to send questions to me directly.

See you there,

Mark