Tryhackme:HeartBleed

Background Information:

Introduction to Heartbleed and SSL/TLS

  • server private key
  • confidential data like usernames, passwords and other personal information

Analysing the Bug

The implementation error occurs in the heartbeat message that is used by OpenSSL to keep a connection alive even when no data is sent. A mechanism like this is important because if a connection dies/resets quite often, it would be expensive to set up the TLS aspect of the connection again; this affects the latency across the internet and it would make using services slow for users. A heartbeat message sent by one end of the connection contains random data and the length of the data, and this exact data is sent back when received by the other end of the connection. When the server retrieves this message from the client here’s what it does:

  • The server constructs a pointer(memory location) to the heartbeat record
  • It then copies the length of the data sent by a user into a variable(called payload)
  • The length of this data is unchecked
  • The server then allocates memory in the form of:
  • 1 + 2 + payload + padding(this can be maximum of 1 + 2 + 65535 + 16)
  • The server then creates another pointer(bp) to access this memory
  • The server then copies payload number of bytes from data sent by the user to the bp pointer
  • The server sends the data contained in the bp pointers to the user

Remediation

To ensure that arbitrary data from the server isn’t copied and sent to a user, the server needs to check the length of the heartbeat message:

  • The server needs to check that the length of the heartbeat message sent by the user isn’t 0
  • The server needs to check the the length doesn’t exceed the specified length of the variable that holds the data

References:

http://heartbleed.com/

Protecting Data In Transit:

In this task, you need to obtain a flag using a very well known vulnerability. Make sure you pay attention to all the information and errors displayed. Pay particular attention to how web servers are configured.

  1. What is the flag?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
jagadeesh

jagadeesh

16 Followers

CTF-PLAYER, security analyst, Pentesting, vapt, digital forensics