Full Disclosure mailing list archives

Re: heartbleed OpenSSL bug CVE-2014-0160

From: Pål Nilsen <paal.nilsen () gmail com>
Date: Thu, 10 Apr 2014 10:24:01 +0200

There's probably an "official" place to get ssltest.py, but I put it here
after some guys on IRC asked for it yesterday:
https://ccdn.tracetracker.com/ssltest.py


On 10 April 2014 08:39, Txalin <txalin () gmail com> wrote:

How realistic is it that an attacker would be able to glean passwords

through

this vulnerability?


Checked by myself yesterday in some websites with login/pass form in (sites
from my company, don't blame me). I took less than 2 minutes to get 3
user/password combinations, so, easy as hell.

PD: First message in FD, hi all!!!


2014-04-10 0:32 GMT+02:00 Craig Holmes <craig () rideaunetworks com>:

On April 8, 2014 10:21:34 AM Matthew Musingo wrote:

Even if your systems were patched  an attacker could have already

attained

the secrets.

Certs and other sensitive information need to be reconsidered for
replacement or changed

How realistic is it that an attacker would be able to glean passwords
through
this vulnerability? Programatically searching through 64k memory dumps

for

certificates seems plausible, but looking for passwords does not. A
password is
of no pre-determined length or format. So unless you know what strings

are

wrapped around it (and those strings are reliably presented), isn't the
loss
of some types of sensitive information.... unlikely?

Cheers.
Craig


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Re: heartbleed OpenSSL bug CVE-2014-0160, (continued)
- - - Re: heartbleed OpenSSL bug CVE-2014-0160 Jann Horn (Apr 08)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Francesc Guitart (Apr 08)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Javier Reoyo (Apr 10)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Carlos P (Apr 10)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 David H (Apr 08)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Matthew Musingo (Apr 08)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Craig Holmes (Apr 09)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Michal Zalewski (Apr 09)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Menso Heus (Apr 09)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Txalin (Apr 10)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Pål Nilsen (Apr 10)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Reindl Harald (Apr 10)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Pål Nilsen (Apr 10)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Ricardo Iramar dos Santos (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Fraser Scott (Apr 08)
  - Re: heartbleed OpenSSL bug CVE-2014-0160 Nik Mitev (Apr 08)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Chris Schmidt (Apr 08)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Jann Horn (Apr 08)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Tim Schütt (Apr 08)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Rob van der Putten (Apr 09)
    - Re: heartbleed OpenSSL bug CVE-2014-0160 Walt Williams (Apr 09)

(Thread continues...)