I get that, but the purpose of the script is now explicitly "steal user sessions" rather than "proof-of-concept".
I wouldn't convict you, but if someone used this tool in a breach that was embarrassing enough to the right person, I don't think a prosecutor would have a very hard time convincing a judge that you were an evil hacker writing evil hacker tools.
Do you have the same feelings about the Rapid7 team? What about the guys at Tenable? Heck, the Offensive Security guys are making an entire Linux distro that is nothing more than "evil hacker tools". Surely there are countless crimes committed with their software. Do you believe that all of them are in the wrong.
I am not an exceptionally gifted programmer. This is a trivial change to the original PoC to point out an additional attack vector. Pointing out that there is more to this attack than leaked private keys is very important.
You did the right thing. I know very little about exploitation- I have to pay someone else to learn about things like this and fix it for me. This makes the time taken to do that much shorter for me and others like me. So thank you thank you thank you! Do you have a "donate" button somewhere?
The line between whitehat pentester and blackhat cracker is very thin, of course. They use the same tools and the same techniques; the differentiating component is intent and target.
The title of your post is "Using Heartbleed PoC for Hijacking User Sessions En Masse". Not "Your users' sessions are at risk", or "Heartbleed affects more than private keys". The express intent of the published code is the theft of user sessions. I know that you probably don't have any intent to do Bad Things with it, but if I was a prosecutor looking for someone to slap around with the CFAA, you just threw up a giant neon "SUP BITCHES" sign.
The folks you mentioned all produce tools which are intended and marketed for use by white-hat security professionals in the pre-emptive exploitation of their own networks for the purposes of security. Yes, we all know that the Bad Guys use Metasploit extensively to find and exploit machines, but if Rapid7 were positioning their tool as the premiere solution for pwnz3ring b0x3n, you don't think they'd be in a legally different situation?
I never said you were wrong. In fact, my exact words were "I wouldn't convict you" - I really do get why you published this, and I don't think you're some bad guy cackling to yourself from deep within your evil lair or anything. However, we know from recent history that things less gray have (unjustly, IMO) in fact landed people in prison. It's not illegal to own a crowbar or lockpicking set, but it's illegal to own one with the intent to commit burglary. Intent matters, and they way you positioned your PoC is problematic in that its stated intent is "mass hijacking", rather than "demonstration of an additional security problem". I am not trying to say that there's anything wrong with the code you've published - there isn't - but that the way you've presented it is potentially problematic if it were to attract the wrong kind of attention. That's all.
Which only applies if you were to do it to systems that you aren't authorized to use it against. Simply creating and testing the code on your own servers is far from unauthorized access. If it were anyone who had posted any PoC code would have been liable for anything that happened with their code.
You seem to be talking about something different from what sullivanmatt and I were talking about. He said that collecting session IDs is not illegal, but posting them would be. That is the statement with which I was taking issue.
At any rate, it certainly doesn't seem correct to say "it isn't illegal" as a blanket statement.
I was referring to calling it unauthorized access. If I do this to my own machines, which is how I wrote and tested this code, then it is entirely authorized.
I would agree that collecting session ids on systems that you do not own or have legitimate access to is almost certainly illegal.
I think his statement strongly implied that he was speaking about session ids of site he doesn't own. If you own the site, saying that "using the session ids would be illegal" is a stretch, at least without qualifiers. So, pretty sure he was talking about other people's sites.
I'd imagine people have been charged with crimes for much less than what one could attempt to charge this author with if some scriptkid uses this code and causes damages.
I respect the author for wanting to be a part of the community contributing code related to this event but some self-preservation might be in order...
If this were true, the Rapid7 guys would have been in jail long ago. This doesn't do anything more than the original PoC, but shows another reason for administrators to update their machines.
This exploit as posted is suboptimal. If I understood the format of a heartbeat message correctly, its one byte type followed by two bytes unchecked length.
So if you want to maximize the data extracted with each connection, you should send FF FF for length, instead of 0x0302 bytes as its requesting now (if n2s is for network byte order to short).
This should be followed by a payload of that length, but if it isn't (as in the PoC) the vulnerable versions of OpenSSL will then carve it out of the heap to form the response packet - this is what leads to the data leakage.
Big props to you Michael (and everyone else who helped produce this PoC) for showing how completely fucking crazy this security hole is. I don't envy the flack you'll get for it, but it really drives home the enormity of the problem, and will force people to patch much quicker than they would normally. The only thing that gets companies to patch in less than a month is a big fire under their ass.
Many people have commented on the legality of using this software. I didn't think it needed pointing out that using this on servers you do not own is strictly against the law. My only reasons for writing this is to show exactly what can be done with the vulnerability and how scary it really is.
Many people have a vague understanding of how bad it is to lose a private key that is used to sign SSL traffic, but showing that one is able to hijack sessions en masse makes this vulnerability much easier to wrap our heads around.
26 comments
[ 3.4 ms ] story [ 59.5 ms ] threadI wouldn't convict you, but if someone used this tool in a breach that was embarrassing enough to the right person, I don't think a prosecutor would have a very hard time convincing a judge that you were an evil hacker writing evil hacker tools.
I am not an exceptionally gifted programmer. This is a trivial change to the original PoC to point out an additional attack vector. Pointing out that there is more to this attack than leaked private keys is very important.
The title of your post is "Using Heartbleed PoC for Hijacking User Sessions En Masse". Not "Your users' sessions are at risk", or "Heartbleed affects more than private keys". The express intent of the published code is the theft of user sessions. I know that you probably don't have any intent to do Bad Things with it, but if I was a prosecutor looking for someone to slap around with the CFAA, you just threw up a giant neon "SUP BITCHES" sign.
The folks you mentioned all produce tools which are intended and marketed for use by white-hat security professionals in the pre-emptive exploitation of their own networks for the purposes of security. Yes, we all know that the Bad Guys use Metasploit extensively to find and exploit machines, but if Rapid7 were positioning their tool as the premiere solution for pwnz3ring b0x3n, you don't think they'd be in a legally different situation?
I never said you were wrong. In fact, my exact words were "I wouldn't convict you" - I really do get why you published this, and I don't think you're some bad guy cackling to yourself from deep within your evil lair or anything. However, we know from recent history that things less gray have (unjustly, IMO) in fact landed people in prison. It's not illegal to own a crowbar or lockpicking set, but it's illegal to own one with the intent to commit burglary. Intent matters, and they way you positioned your PoC is problematic in that its stated intent is "mass hijacking", rather than "demonstration of an additional security problem". I am not trying to say that there's anything wrong with the code you've published - there isn't - but that the way you've presented it is potentially problematic if it were to attract the wrong kind of attention. That's all.
(but of course courts have sent people to jail for much less...)
† http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
At any rate, it certainly doesn't seem correct to say "it isn't illegal" as a blanket statement.
I would agree that collecting session ids on systems that you do not own or have legitimate access to is almost certainly illegal.
I respect the author for wanting to be a part of the community contributing code related to this event but some self-preservation might be in order...
So if you want to maximize the data extracted with each connection, you should send FF FF for length, instead of 0x0302 bytes as its requesting now (if n2s is for network byte order to short).
It's possible this has been tuned to avoid some interference regarding that sort of thing.
[*] see https://www.iana.org/assignments/tls-parameters/tls-paramete...
Many people have a vague understanding of how bad it is to lose a private key that is used to sign SSL traffic, but showing that one is able to hijack sessions en masse makes this vulnerability much easier to wrap our heads around.
Don't be idiots out there.