Tuesday, April 8, 2014

OpenSSL Heart Bleed: Simplified



OpenSSL has released a patch for an issue being called the "Heart bleed issue". There are a couple good technical explanations out there already here and here but I'd like to break it down into basic terms.

You can also just read XKCD


The "heart beat" function is useful for checking if a system is available. Let's say you're Facebook and you want to make sure that everything is functioning correctly. You would send the heart beat function a message length and a message that says, "I am alive and ok". The server replies with that same message: "I am alive and ok." If you don't get that exact message back within a specified amount of time there might be a problem with the service and you can set off alarms etc.

As always, nothing is as simple as it seems. The heart beat function also takes a message length. So if you send in "I am alive and ok" you would also send a message length of 17 characters.

Without getting too deep into how computer memory works data is stored by a computer sequentially. So your message "I am alive and ok" gets put into memory next to other data. For this example, the other data is "My password is SeeSpotRun". So to the computer memory looks like this "I am alive and ok My password is SeeSpotRun". When the heart beat function responds with the message, it remembers the first character it's supposed to send and then sends as many characters as the message length you've sent in.

With me so far? Here's where we start exploiting things.

When you send in the correct message length of 17 the heart beat function returns "I am alive and ok" but if you send in a message length of say 32 it would return "I am alive and ok My password is" because "My password is" are the next 15 characters. At this point the attacker is interested and would request more information from memory, say sending in a length of 43 or so to get a message back of "I am alive and ok My password is SeeSpotRun" and now he has your password.

If that isn't scary enough, remember that other things (credit card numbers, names, addresses, social security card numbers) are stored in memory of a program uses them. If a program is vulnerable it's pretty much like playing the lottery trying to get something interesting.