[Ach] OpenSSL 'heartbleed' bug
Aaron Zauner
azet at azet.org
Wed Apr 9 00:30:10 CEST 2014
L. Aaron Kaplan wrote:
> Hi!
>
> Unrelated to the previous posts but nevertheless showing quite clearly how urgent this is now:
>
> Just stumbled across the first automatic user session hijacking script:
>
> https://michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions/
I've written a similar PoC just using the ssltest.py file and a bit of
bash and grep hackery. This can be done by any teen script-kiddie. Worrying.
I've tested this on vulnerable servers and you get a lot of user data,
password, phone numbers, client software identification - frequently
accessed and stored in virtual memory, mobile applications seem to be
prevalent - as well as communications traffic and patterns by writing
just a few lines of code.
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140409/a8572689/attachment.sig>
More information about the Ach
mailing list