The days when XP announced a formal cessation of service were also the days when Openssl burst into big holes.
All afternoon we are in a state of emergency, the spirit of tension, this vulnerability affects the 30–50% ratio of the use of HTTPS sites, including the regular visits: Alipay, micro-letter, Taobao, internet banking, social, portal and other well-known sites.
As long as the site access to HTTPS may be the risk of sniffing data, around 5 o'clock in the afternoon Zoomeye completed this data scanning: the National 443 ports: 1601250, 33,303 are affected by this OpenSSL vulnerability! Do not know how many use HTTPS is threatened in the world.
What is OpenSSL?
A security protocol that provides security and data integrity for network communications, encompassing key cryptography algorithms, commonly used key and certificate encapsulation management functions, and SSL protocols, and provides rich applications for testing or other purposes.
OpenSSL Vulnerability
OpenSSL is an open source SSL implementation, used to achieve high intensity encryption of network communications, and is now widely used in various network applications. There is a BUG in the OpenSSL Heartbleed module where an attacker constructs a special packet that satisfies a user's heartbeat packet and does not provide enough data to cause the memcpy to directly output the data after the SSLv3 record, which could allow an attacker to remotely read the vulnerable version of the OpenSSL 64K of data grown in server memory.
Version with this vulnerability
OpenSSL 1.0.1 through 1.0.1F (inclusive) are vulnerable
OpenSSL 1.0.1g is not vulnerable
OpenSSL 1.0.0 Branch is not vulnerable
OpenSSL 0.9.8 branch is not vulnerable
Simply put, hackers can use HTTPS (there is this vulnerability) of the Web site attack, each read the server in memory 64K data, continuous iterative acquisition, memory may contain program source code, user HTTP original request, user cookie or even plaintext account password.
After the leak broke out,
Party a company operation, safety began emergency early warning repair upgrade, Party B is busy to help the Internet to test how many sites affected and the introduction of detection scripts, netizens do not know. Can only innocently look at the micro-bo full screen OpenSSL burst of loopholes! Hackers are starting to get started! But it is indeed a sleepless night, too many websites are affected, and many users are still visiting the site in the tiger's mouth.
People who know technology start to study this loophole and write their own detection scripts and sniffer procedures, do not understand the small hackers also following play this loophole, ultimately, the victims are still ignorant people.
How much does this loophole affect?
We first tested the vulnerability after we received it. Https://alipay.com confirms that this vulnerability is present and initiates detection.
Then we found Yahoo Portal home, micro-letter public number, micro-letter Web version, YY language, Taobao, net silver, Mo mo, social, portal site exists this vulnerability.
The above is sniffing to the MO part of the data, the entire packet contains detailed latitude and longitude, the Mo UID, version, mobile phone model details.
Also, on another social networking site I got the user login account and password and even security questions and answers, where the password used in plaintext transmission, so that through such a vulnerability to attack I successfully logged hundreds of accounts, of course, I did nothing, for testing.
The user changes the password, sends the message, the login and so on request as well as many operations all in the data package exposes, here I do not enumerate more affected websites. In fact, this loophole is said to have been excavated as early as 2012, until yesterday CVE into the number cve-2014-0160,8 officially broke. The use of HTTPS Web site is mostly because the data need to encrypt to prevent sniffing and other attacks, after the outbreak of the hole completely break the door, so many sites in the state of listening.
This vulnerability POC has already been announced, so many white hats on the Wooyun vulnerability platform began to test brush points on a wide range of sites, and the scene was quite spectacular:
Therefore, the vulnerability is not user security, as long as the site uses a OpenSSL version of the vulnerability, users can log in to the site may be hackers real-time monitoring of the login account and password, this vulnerability should be provided by the service provider OpenSSL upgrade as soon as possible.
Gratifying is such as Tencent, NetEase, Taobao These large manufacturers of security problems of emergency response speed, a lot of existing OpenSSL problems of the site has been repaired, the rest of the remaining believe will be through the white hat efforts to quickly repair.
Up to 8th 23:00,l said to me: A number of large web site data is still constantly sniffing input.