Heartbleed vulnerability (registered as CVE-2014-0160) is a security bug present in the older version of OpenSSL cryptographic library. OpenSSL is a cryptographic toolkit used to implement the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Heartbleed bug in OpenSSL discovered in 2012 while in 2014 it was publicly disclosed.This article discusses the steps to exploit heartbleed vulnerability.
There were around half a million of web servers claimed to be secure and trusted by a certified authority, were believed to be compromised because of this vulnerability. This bug allowed attackers to access sensitive information present on web servers even though servers using TLS secure communication link, because the vulnerability was not in TLS but in its OpenSSL implementation.
How it works?
To understand how Heartbleed vulnerability works, first we need to understand how SSL/TLS works. While communicating over SSL/TLS protocol there is a term that is called ‘Heartbeat’, a request message consists of a payload along with the length of the payload i.e. a 16-bit integer. Heartbeat request message let the two communicating computers know about their connection that they are still connected even if the user is not uploading or downloading anything at that time.
Now let’s say a client sends a Heartbeat request to the server saying send me the four letter word ‘bird’. This message in encrypted form received by the server and then server acknowledges the request by sending back the exact same encrypted piece of data i.e. ‘bird’. This Heartbeat message request includes information about its own length. Now in the malicious usage scenario the client sends the request by saying send me the word ‘bird’ consisting of 500 letters. This let the server to store more in memory buffer based on the reported length of the requested message and sends him back more information present on the web server. The attacker can perform this attack many times to extract the useful information including login credentials.
Heartbleed Exploit Demo
In this demo I will demonstrate a simple exploit of how an attacker can compromise the server by using Kali Linux.
Step01: Install Metasploit to use latest auxiliary module for Heartbleed
#apt install metasploit-framework
Be patient as it will take some time, I have already installed the framework here, after installation is completed you will be back to the Kali prompt.
Step02: Start the Metasploit console
Step03: Search Heartbleed module by using built in search feature in Metasploit framework, select the first auxiliary module which I highlighted
Step04: Load the heartbleed by module by the command
Step05: After loading the auxiliary module, extract the info page to reveal the options to set the target
Step06: we need to set the parameter RHOSTS to a target website which needs to be attacked
#set RHOSTS 18.104.22.168
Step07: To get the verbose output and see what will happen when I attack the target, enable verbose
#set VERBOSE true
Step08: Finally attack the target by typing command:
The target system has successfully leaked some random information. In this way attacker can perform this procedure again and again to extract the useful information because he has no control over its location and cannot choose the desired content, every time you repeat this process different data can be extracted.
There are many tools that will show if the website is still vulnerable to Heartbleed attack. In our case we have checked the vulnerability by using Nmap tool
Simply type #nmap –p 443 –script ssl-heartbleed [Target’s IP]
It shows that the target system is using old version of OpenSSL and had vulnerability to be exploited.
Heartbleed is still present in many of web servers which are not upgraded to the patched version of OpenSSL. The way to fix this vulnerability is to upgrade the latest version of OpenSSL. The affected versions of OpenSSL are from 1.0.1 to 1.0.1f. Try to avoid using these versions.