Thursday, April 10, 2014

Epilogue Pentest: Forget about Heartbleed and Enter the Reality of Volatile Memory

From XKCD..



Yeah there's lot of buzz on heartbleed as the worst bug ever. My opinion? It is a serious bug due to the fallacy of the way C works . Despite the hype memory leakage is not exactly something new and skillful botnet/attackers/pentesters have exploited  it for years.

What can we learn from this bug?.. At the Beginning and at the End of an Encrypted Connection lies the encrypted data. Don`t the trust user input in one thing, but trusting your server memory and hands behind it is also well sucks.

If you are one of the CISO fans well PCI  often said "End-to-End Encryption" .. which means data + communication channel are supposed to be well encrypted.. Which is good

But there's one catch...

Suppose an attacker/sysadmin managed to get hold on a server with a privileged access (or decided to abused it anyway). Hypothetically something like this.



So we have root privileged. Yes in most tutorial no doubt people will start dumping /etc/shadow and yadax2 implement fake/website blax3.

Suppose that all data is encryted and there's no way to see it in plaintext form.. If you understand the bug in heartbleed , it tells us that unencrypted related data  lies in the process memory closely at at the heap/free store..

Pick up one process 5356 in this example and examine the maps.


Data memory leaked in heart bleed relies on how the heap was align/rebased/mapped blax3.,


We can use  gcore or  Folks from Rohitab  have created one nice tool similar to procdump in Windows :)




And it's a gold mine..





Do you trust your sysadmin? I know I don`t.  And dark tips. Don`t trust your router memory either...

What about dumping in Windows? It's as easy as .




Volatile memory are dangerous... 








No comments: