Use the Heartbleed vulnerability to hijack user logon sessions

Source: Internet
Author: User

The Heartbleed problem is actually worse than it can be seen now (it seems to be broken now ). Heartbleed (CVE-2014-0160) is an OpenSSL vulnerability that allows any remote user to dump some of the server's memory. Yes, it's really bad. It is worth noting that a skilled user can use it to dump the RSA private key used by the server to communicate with the customer through a process. The level of knowledge/skills required to initiate such attacks is not very high, but may exceed the average level of junior users of the script. So why is Heartbleed worse than you think? This is simple: currently, the script of conceptual evidence is available to allow any client to perform session hijacking attacks on User Logon anywhere in the world. The conceptual proof that was most widely shared this morning was such a simple Python script: https://gist.github.com/takeshixx/10107280. With this script, anyone in the world can dump part of the memory from a vulnerable server. Let's take a look at the output of this tool (for vulnerable servers running JIRA's ticket tracking system. To improve readability, the hexadecimal output has been deleted.

[matt@laptop ~]# python heartbleed.py jira.XXXXXXXXXXX.com Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 66 ... received message: type = 22, ver = 0302, length = 3239 ... received message: type = 22, ver = 0302, length = 331 ... received message: type = 22, ver = 0302, length = 4 Sending heartbeat request... ... received message: type = 24, ver = 0302, length = 16384 Received heartbeat response:.@..GET /browse/ en_US-cubysj-198 8229788/6160/11/(lots of garbage)..............Ac cept-Encoding: g zip,deflate,sdch ..Accept-Languag e: en-US,en;q=0. 8..Cookie: atlas sian.xsrf.token= BWEK-0C0G-BSN7-V OZ1|3d6d84686dc0 f214d0df1779cbe9 4db6047b0ae5|lou t; JSESSIONID=33 F4094F68826284D1 8AA6D7ED1D554E.. ..E.$3Z.l8.M..e5 ..6D7ED1D554E... ......*..?.e.b..WARNING: server returned more data than it should - server is vulnerable!

 

This must be a dump of the memory generated by the last GET request. Have you noticed the above JSESSIONID Cookie? This is the method that JIRA uses to track your HTTP session to determine whether you have logged on. If this system requires verification (like JIRA installation), I can insert this cookie into my browser and become a legal user of this JIRA installation program. Insert the session ID cookie into the browser ). after saving the modified cookie, refresh the browser. reload and install JIRA. note: We are now logged on to the installer. as shown above, once we get a valid session ID cookie, we can access JIRA installation as an internal employee. the only way to detect this type of attack is to check the source address of each request communication. This Heartbleed vulnerability is terrible, and almost nothing is done to prevent remote attackers from executing a session hijacking attack that allows bypass authentication. Patch your system immediately.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.