1

I have read about recent vulnerability in openssl. I tried to exploit one of my cloud servers where I run my web sites. I managed to get 64 KB of data. But what I managed to get was only HTML, CSS, PHP codes. But here states:

We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

I have some questions:

1.What was the server configuration of testers?

2.What other sensitive data can be retrieved with this vulnerability?

3.What sensitive data is stored in RAM of Apache Web Server?

Xander
  • 35,616
  • 27
  • 114
  • 141
torayeff
  • 4,565
  • 4
  • 16
  • 15
  • For lack of a better close vote, I'm marking this as too broad, but I wanna explain a bit why. 1) should be asked of those that have done the test, 2) and 3) depends on each particular server, its configuration, and what data is exchanged between server and its clients (thus why I opted for "too broad"). Can you please [edit] your question to present a specific scenario / configuration and describe what your threat is? It's IMO impossible to list all the possible sensitive data that could be leaked via Heartbleed, it could be anything that's in server's memory really (read in 64kb chunks). – TildalWave Apr 09 '14 at 14:19
  • 1
    possible duplicate of [What should a website operator do about the Heartbleed OpenSSL exploit?](http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit) – Gilles 'SO- stop being evil' Apr 09 '14 at 14:29

1 Answers1

2

From what I understand, it's the luck of the draw. You may get sensitive information or nothing at all. It all depends what happens to reside in the memory the exploit is pushing out to you.

This can include private keys as the server process will cache this for quick access during SSL transmissions, but from my limited testing I was able to fetch HTTP headers and do session sidejacking.

I suppose if you captured the private key somehow, you can then use MITM to reveal more information; or, if you happen to get admin passwords using those to breach further into the internal network.

Nathan C
  • 800
  • 6
  • 9