21

According to http://heartbleed.com/, memory contents can be leaked from the server to the client and vice versa.

Say that I have been banking in a separate browser profile (but under the same user). If another browser profile happened to be targeted by the Heartbleed attack, does this mean that my banking session was possibly compromised? Does it matter whether Linux, Windows or something else is used?

Lekensteyn
  • 5,958
  • 5
  • 38
  • 62
  • 2
    By the way, Chrome/Chromium and Firefox use NSS (not OpenSSL) and are not affected by this implementation bug. – Lekensteyn Apr 08 '14 at 10:54
  • 3
    Thats true Chrome/Chromium for Windows, OS X, iOS, Linux, and Chromium OS, but not for Android where OpenSSL is used. They are planing to use OpenSSL everywhere. See [here](https://docs.google.com/document/d/1ML11ZyyMpnAr6clIAwWrXD53pQgNR-DppMYwt9XvE6s/edit?pli=1#) – Jehof Apr 08 '14 at 12:32
  • @Lekensteyn and btw ftr neither does IE... – AviD Apr 10 '14 at 12:00

2 Answers2

19

There is a well-written analysis at http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html complete with code samples.

The author, Sean Cassidy, notes that (emphasis mine):

What if the requester didn't actually supply payload bytes, like she said she did? What if pl really is only one byte? Then the read from memcpy is going to read whatever memory was near the SSLv3 record.

And apparently, there's a lot of stuff nearby.

To be honest, I am a little surprised at the claims of the people who found the Heartbleed vulnerability. When I heard about it, I figured that 64KB wasn't enough to look for things like secret keys. The heap, on x86 at least, grows up, so I figured that pl would simply read into newly allocated memory, such as bp. Keys and the like would be allocated earlier, so you wouldn't be able to read them. Of course, with modern malloc implementations, this isn't always true.

And further, you won't be able to read the memory of any other process, so those "business critical documents" would need to be in memory of the process, less than 64KB, and be nearby pl.

An alternative viewpoint from Erik Cabetas of Include Security, commenting on Reddit:

Was having some discussions w/ my friend about this bug. He thinks it's exploitable by using a variety of specifically sized allocations across the heap to read the 64k chunks all around the heap fragments, not in a linear type of fashion that Sean in OP's link is implying. After thinking about the way ptmalloc/linux allocates, I think this is possible for sure. The .fi guys from codenomicron are sharp dudes, I bet they were able to get the allocations just right in a lab environment.

Edit: Sean has updated:

And apparently, there's a lot of stuff nearby.

There are two ways memory is dynamically allocated with malloc (at least on Linux): using sbrk and using mmap. If the memory is allocated with sbrk, then it uses the old heap-grows-up rules and limits what can be found with this, although multiple requests (especially simultaneously) could still find some fun stuff.

However, if mmap is used, all bets are off. Any memory not in use could be allocated for mmap. This is what the most of the attacks against Heartbleed will target.

And the best part: the bigger your requested block, the more likley it is to be served by mmap rather than sbrk.

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
  • 2
    That is a nice analysis by Sean. Can we be sure that the leaked memory never contains stuff from previous processes? – Lekensteyn Apr 08 '14 at 09:32
  • 2
    @Lekensteyn Yes, virtual memory prevents it. http://en.wikipedia.org/wiki/Virtual_memory – argaz Apr 08 '14 at 11:15
  • How does mmap make other processes' memory visible to the process using OpenSSL? I thought accessing another process's memory normally causes a segmentation fault. – Sam Apr 09 '14 at 13:27
  • @argaz I have checked that every byte allocated by `malloc(n)` is zero (for large `n`), but I do not remember from an OS course that the memory is always cleared. Is this a responsibility of the kernel? – Lekensteyn Apr 09 '14 at 21:14
9

To add on @scuzzy-delta's answer: by definition, buffer overruns in applicative code affect only applicative code. The operating system maintains the isolation between the various process, and won't permit a process to access the memory space of another process.

If the buffer overrun is of the "write" persuasion (the attacker forces the target to write bytes beyond the end of a buffer), then this may be turned into hostile hijack, in which the attacker takes control of the target application, and makes it do its bidding. Application-level privileges are already enough to enact considerable mischief, including reading (for instance) all of the browser's profile, grabbing the screen contents and keyboard entries, and so on (when it occurs on a "client" side, e.g. in a browser). However, in this case, the "heartbleed" vulnerability is a "read" overrun, revealing data but not impacting the target system. This precludes the immediate risk of hostile hijack and its dire consequences.

However...

Obtaining secrets from the applicative memory of the target process may be leveraged into a more extensive attack. For instance, if the target is a Web server, the heartbleed issue may reveal (with the appropriate amount of luck) the names and passwords of some other users, which can then be used to log on as these users. This can be problematic.

For a Web browser, i.e. on the client side, one may note that some browsers are on the habit of launching distinct process instances, to avoid memory fragmentation issues in long-running sessions, and also to avoid losing the whole browser when the Flash plugin crashes. Not all browsers do that, though -- and even for those who do, they don't do it systematically. They follow heuristics in order to group tabs "together" in a single process.

An extra point is that these process often use some shared memory to exchange some needed information, in particular password and cookie caches, and SSL sessions. Precisely the kind of juicy data that the attacker would like to obtain.

On the brighter side, attacking the client requires that the server that the client talks to runs the attack. It cannot be initiated by the attacker; it must wait for clients to connect.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • So does this mean that the quote about mmap in scuzzy-delta's answer doesn't imply that memory can be read from another process? – Matthijs Wessels Apr 14 '14 at 11:54
  • 1
    No, indeed, the quote about `mmap()` does not imply reading memory from another process. What it implies is that blocks allocated from areas obtained through `mmap()` will be located in somewhat random places in the address space, whereas blocks from `sbrk()` have a more deterministic emplacement. – Tom Leek Apr 14 '14 at 12:45