Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: heartbleed OpenSSL bug CVE-2014-0160

From: Menso Heus <heus () freepressunlimited org>
Date: Thu, 10 Apr 2014 08:39:35 +0200
On 10 apr. 2014, at 00:32, Craig Holmes <craig () rideaunetworks com> wrote:


On April 8, 2014 10:21:34 AM Matthew Musingo wrote:

Even if your systems were patched  an attacker could have already attained
the secrets.

Certs and other sensitive information need to be reconsidered for
replacement or changed

How realistic is it that an attacker would be able to glean passwords through 
this vulnerability? Programatically searching through 64k memory dumps for 
certificates seems plausible, but looking for passwords does not. A password is 
of no pre-determined length or format. So unless you know what strings are 
wrapped around it (and those strings are reliably presented), isn't the loss 
of some types of sensitive information.... unlikely?



From poking at a very popular free e-mail service that only recently patched, 

here's an example of some of the data that got returned:

/config/pwtoken_get?src=emailimap&ts=12345&login=foo&passwd=bar&

As you can see, figuring out what strings are wrapped around it is trivial and 
I am assuming that there are people out there who did nothing but trying to
extract this information in an automized way. Cookies too got passed this way.

Change your passwords :)

Menso





_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: