The Heartbleed bug
- This application demonstrates the Heartbleed bug (website) in the OpenSSL library, that was reported in April 2014.
- For purposes of demonstration, we have setup a server vulnerable to this bug, that you will simulate a heartbleed attack against.
- For comparison purposes, we also provide a server that has been patched to fix this bug.
- Briefly, a missing validation step in the OpenSSL library, could allow a hacker to gain access to sensitive information on a server.
- As part of the handshake protocol between a client and server, a "heartbeat" message is sent from the client, which is then relayed back from the server.
- The client is also responsible for sending the length of its heartbeat message, which the server uses to determine the bytes from memory to be sent back to the client.
- A spurious length value, that isn't validated against the actual client message could cause the server to return adjacent blocks from its memory where the client message is stored.
- In this demonstration, you will be provided a web terminal emulation container that plays the role of the hacker.
- A Python script is also provided that simulates the attack, by sending a heartbeat message to the buggy server with a bogus length value.
- Running the script should display the message returned from the server.
- Since this exploit depends on retrieving useful information from adjacent memory blocks by chance, you should run the script several times to see if you can get a hold of any additional
data from the server's memory.
- You should repeat the experiment, by using the Python script to attempt a Heartbleed attack against the patched server and compare the results.
- Ready to go? Try It !
- Note: You will have around 20 minutes to test this application.