EvilZone
Hacking and Security => Hacking and Security => : vezzy April 08, 2014, 12:47:58 AM
-
http://heartbleed.com/ (http://heartbleed.com/)
tl;dr TLS basically hasn't been working for the past 2 years or so. Upgrade your distribution packages or recompile with -DOPENSSL_NO_HEARTBEATS. If you're a webmaster, it is imperative that all certs and keys be revoked and regenerated. Note that most of the web is vulnerable, so it'll take a while for most infrastructure to upgrade, assuming people even bother. Consider changing all passwords once you're sure sites have upgraded to 1.0.1g, if you're that paranoid.
This is all a miserable spectacle.
-
I've completely recompiled Tor and openssl tonight.. fuck. On both my home and remote box.
I also will upload a clean 64bit .deb for those wishing to fix their shit quickly.
Edit:
openssl-1.0.1g-securityfix.zip:
http://upload.evilzone.org/download.php?id=9365161&type=zip
https://www.virustotal.com/en/file/0c39147d9b5efb486abbdbeb1ee685f65d53b4a4ca302d925295689ac40cafe0/analysis/1396912597/
And just openssl_1.0.1g-1_amd64.deb (amd64 systems only):
https://www.virustotal.com/en/file/1124f4af5bf5546e2c91d1b0cc2a6a8b38a3db124b9c516823936bb9312fbf20/analysis/1396911829/ (https://www.virustotal.com/en/file/1124f4af5bf5546e2c91d1b0cc2a6a8b38a3db124b9c516823936bb9312fbf20/analysis/1396911829/)
-
Well this is an "interesting" turn of events.
-
Debian and Ubuntu already pushed upgraded packages to upstream just a couple of hours ago. Other distros should follow next.
-
Holy cows
-
Can't say I'm too thrilled about this vulnerability... anyone know if big companies like google, etc use OpenSSL
-
They do , thats the point.
Think embedded devices,phones,webservers,vpn.. we are talking massive worldwide impact.
-
Yes but is OpenSSL the only service to supply SSL/TLS encryption? Anyone can generate and install that, and could purposely use an infected version to make a phisher, etc. So Amazon amd all of the big corperations use OpenSSL or a proprietary closed source version that doesn't have the heartbreak vulnerability...
-
For debian users:
fixed 743883 + 1.0.1-g
fixed 743883 + 1.0.1e-2+deb7u5
Evilzone is Up To Date :D
-
Yes but is OpenSSL the only service to supply SSL/TLS encryption? Anyone can generate and install that, and could purposely use an infected version to make a phisher, etc. So Amazon amd all of the big corperations use OpenSSL or a proprietary closed source version that doesn't have the heartbreak vulnerability...
Pretty much the entire globe uses OpenSSL. After that it's GnuTLS, which is primarily used only by the GNOME Project, and most notably CUPS, but that's about it.
Apple rolls their own, I believe, though I'm not sure. It might simply be an Obj-C wrapper around OpenSSL.
Funny thing is all three of these SSL implementations have had critical bugs all within this year.
-
Pretty much the entire globe uses OpenSSL. After that it's GnuTLS, which is primarily used only by the GNOME Project, and most notably CUPS, but that's about it.
Apple rolls their own, I believe, though I'm not sure. It might simply be an Obj-C wrapper around OpenSSL.
Funny thing is all three of these SSL implementations have had critical bugs all within this year.
Yeah funny how SSL/TLS is slowly loosing it's status as uncrackable, eventhough it are all implementation issues thus far.
But apart from CRIME, which was not so big, this is the first real server side vuln, massive impact.
I have been doing some tests myself and found major gov websites to still be vuln as we speak.
Parties like google amongst other players seem to have patched already.
-
I wonder how something bleeding edge [really no pun intended] like Arch would be? It is updated instantly, and no need to wait 6 months or a year for releases.
-
I wonder how something bleeding edge [really no pun intended] like Arch would be? It is updated instantly, and no need to wait 6 months or a year for releases.
Most distro's pushed it or are pushing it as we speak.
Embedded devices and alike however...
Good thing is that old servers are not vuln, so if its old nough its oke.
-
Was just wondering if I need to update our Cisco Firewalls we use for SSL VPNs too. It seems I am pretty lucky :)
http://security.stackexchange.com/questions/55085/heartbleed-and-routers-asas-other
-
Hmm, did anyone else think it might be NSA implanted bug?
-
We can't really tell. The bug was a missing bounds check, so it could very easily be written off as incompetence. Memory-unsafe languages like C are notoriously hard to get completely right, anyway.
And yeah, all distros are pushing package upgrades. Security bugs always warrant it, anyway.
-
Dude that was massive, i guess i better change my 6 char* password to something longer. Good thing i didn't waste your time at cracking it with some other serious technique.
Seriously, it would be wise if you guys change your passwords cos this has exposed alot of us.
-
Technical writeup: http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
-
Dude that was massive, i guess i better change my 6 char* password to something longer. Good thing i didn't waste your time at cracking it with some other serious technique.
Seriously, it would be wise if you guys change your passwords cos this has exposed alot of us.
Well some of us use different passwords and usernames on a barrage of different sites
-
For those of you Arch users they've pushed out the fixed openssl.
-
Metasploit Module for HeartBleed bug
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
-
Metasploit Module for HeartBleed bug
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
I was waiting for that :)
Couldnt find it this morning, those guys are fast.
<3 seashells.
-
Aaaand here is the nmap NSE script, which makes it even easier :)
http://seclists.org/nmap-dev/2014/q2/att-27/ssl-heartbleed.nse (http://seclists.org/nmap-dev/2014/q2/att-27/ssl-heartbleed.nse)
-
For those of you Arch users they've pushed out the fixed openssl.
Noticed and updated immediately.
-
oef..pretty nasty bug indeed..
took 5 sec. to get a sessionid from a site and to log in.
-
(http://imgs.xkcd.com/comics/heartbleed_explanation.png)
-
@proxx, saw it on fb, loved it x)
I would like to point out that, unless you have javascript disabled, your Evilzone passwords are sent hashed from your browser to our servers. That only makes them secret tho, not unusable. But ofc sessions could have been stolen, tho they are less permanent.
-
OpenSSL Heartbleed bug http://9gag.com/gag/a756d3z
Posted on le gag that is 9
-
I fucking hate the internet and everything if this is true: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
-
aaand something interesting here as well
http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
They put up a open challenge to exploit and get the private keys off a vulnerable server.
-
This is a website for testing hostnames against heartbleed.
http://filippo.io/Heartbleed/
I tested EZ?
http://s12.postimg.org/keq3xjvbx/image.jpg