Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Reverse Heartbleed Testing - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Reverse Heartbleed Testing

I wanted to know if the tools/software I execute regularly are vulnerable to scraping my system memory.  Now the reverse heartbleed scenario is very possible, but the likelihood seems to be much more of a non-issue.  

Seeing is still believing in my book.  So I set out to see what the interweb world was doing to test this out.  There are some very reputable services/organizations out there offering up a fresh url to the reverse heartbleed and others offering to 'test' a given url.   These are a black box.  Trust is hard to earn at times, especially when you are dealing with an exploit like this one.  I wanted to see source code, or at least pseudocode so I could craft my own.  I found a script out there called Pacemaker [1] that was written and provided by Peter Wu.  I liked it because it was transparent, simple, and it can be used exclusively under my control (the ultimate first step of developing trust).

So simple, I was able to review it for harm and function, and cut and paste it into vi.  Escape, write, quit, and I was off and running.   Basically it works like a simple webserver, very simple.  The script is executed and listens on port 4433.  You point your client software at it with a localhost url and the server script reports on STDOUT what it finds.  

I did not have any vulnerable client software readily available to give a whirl, but I did try all my curl and wget installs that I use regularly.   I also hit it with Chrome and Safari to see the error messages.

Here is what I tested with it.

wget 1.11.4:  

Connection from:
Unable to check for vulnerability: SSL 2.0 clients cannot be tested
curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5:
Connection from:
Got Alert, level=Fatal, description=40
Not vulnerable! (Heartbeats disabled or not OpenSSL)
curl 7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5:
Connection from:
Possibly not vulnerable
Chrome 34.0.1847.116:

Connection from:
Got Alert, level=Fatal, description=47
Not vulnerable! (Heartbeats disabled or not OpenSSL)

I am interested in seeing more output from known vulnerable client software.  Feel free to give this a ride and share your results.  If I get a chance to spin out a new VM with some vulnerable OpenSSL on it today, then I will share my experiences too.



ISC Handler on Duty

Kevin Shortt

85 Posts
ISC Handler
Apr 13th 2014
The client software scene is much more diverse....
While you have some exceptions such as curl/wget, VPN clients, perhaps some FTP LDAP and E-mail clients, which may use OpenSSL.

Most of the major web browsers do not.

Firefox, Chrome, OpenOffice, Evolution, Pidgin, 389 directory services, various Java products = LibNSS
Internet Explorer = Windows CryptoAPI
Opera = [none of the above]

146 Posts
I have try directly with openssl client like:

openssl s_client -connect

but imho don't works !
1 Posts
Did you get the following (or something like it) as a response to 'openssl s_client -connect' ?

58872:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake /SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/…:
Kevin Shortt

85 Posts
ISC Handler
Got a hit within Cygwin.

curl 7.29.0 (i686-pc-cygwin) libcurl/7.29.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.26 libssh2/1.4.2
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: Debug GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP Metalink
Kevin Shortt
1 Posts

Sign Up for Free or Log In to start participating in the conversation!