Last Updated: 2014-04-13 13:01:19 UTC
by Kevin Shortt (Version: 1)
I wanted to know if the tools/software I execute regularly are vulnerable to scraping my system memory. Now the reverse heartbleed scenario is very possible, but the likelihood seems to be much more of a non-issue.
Seeing is still believing in my book. So I set out to see what the interweb world was doing to test this out. There are some very reputable services/organizations out there offering up a fresh url to the reverse heartbleed and others offering to 'test' a given url. These are a black box. Trust is hard to earn at times, especially when you are dealing with an exploit like this one. I wanted to see source code, or at least pseudocode so I could craft my own. I found a script out there called Pacemaker  that was written and provided by Peter Wu. I liked it because it was transparent, simple, and it can be used exclusively under my control (the ultimate first step of developing trust).
So simple, I was able to review it for harm and function, and cut and paste it into vi. Escape, write, quit, and I was off and running. Basically it works like a simple webserver, very simple. The script is executed and listens on port 4433. You point your client software at it with a localhost url and the server script reports on STDOUT what it finds.
I did not have any vulnerable client software readily available to give a whirl, but I did try all my curl and wget installs that I use regularly. I also hit it with Chrome and Safari to see the error messages.
Here is what I tested with it.
I am interested in seeing more output from known vulnerable client software. Feel free to give this a ride and share your results. If I get a chance to spin out a new VM with some vulnerable OpenSSL on it today, then I will share my experiences too.
ISC Handler on Duty