RE: Re: [NSE] SSL Heartbleed

["HD Moore" <x () hdm io>]

One thing that can cause the process to crash is the current utilization of
the server and number of active connections. If you run the heartbleed PoC
in a loop against an Apache HTTPD (mod_ssl) server, all is well. If you also
run Apache Bench (ab) against the same server while the PoC is running,
Apache starts to report segfaults. This boils down to how the freelist is
used and what memory is leaked once all of the freelists are full (you end
up reading off the end of the heap and crashing). The difference you see in
"root" vs regular user may be attributed to the current load and heap state
of the process. There is always a chance that this test is going to crash
the process and your best bet is to leak as little memory as possible for
the vulnerability check (1 byte).

-HD

> -----Original Message-----
> From: dev [mailto:dev-bounces () nmap org] On Behalf Of Andrew Klaus
> Sent: Sunday, April 13, 2014 1:08 AM
> To: Olli Hauer
> Cc: dev () nmap org; Patrik Karlsson
> Subject: Re: Re: [NSE] SSL Heartbleed
>
> This particular scan was done as root. Really weird.
>
> I'll see about messing around with the heartbeat size.
> On Apr 12, 2014 4:46 PM, "Olli Hauer" <ohauer () gmx de> wrote:
>
> > I've seen simmilar results if nmap is running with an unprivileged
> > user, also in this case the "openssl s_server..." procesz crashes.
> > Running the same as root returns with target is vulnerable and the
> > openssl proceess doesn't crash.
> >
> > --
> >
> >
> > Patrik Karlsson <patrik () cqure net> wrote:
> > > I think the change of the requested heartbeat size from 16384 to 4073
> > > is what is causing the issue.
> > > That's whats different from the initial commit that works and the
> > > other code that I have tried.
> > > Revision 32828 changes this back to 16384 while only reading 4073
> > > bytes back from the server.
> > > There was another issue reported where reading too much data back
> > > would incorrectly report the server as non-vulnerable.
> > >
> > > Thanks,
> > > -Patrik
> > >
> > >
> > > On Sat, Apr 12, 2014 at 5:04 PM, Andrew Klaus <andrewklaus () gmail com>
> > > wrote:
> > >
> > > > So, I don't think the nmap heartbleed detection script doesn't
> > > > always
> > > work,
> > > > and I'm not sure why.
> > > >
> > > > There are hosts I know about that it does detect, but this one it
> > > > doesn't...
> > > >
> > > > nmap -p 443 --script ssl-heartbleed cloudflarechallenge.com Nmap
> > > > scan report for cloudflarechallenge.com (107.170.194.215) Host is
> > > > up (0.095s latency).
> > > > PORT STATE SERVICE
> > > > 443/tcp open https
> > > >
> > > > Nmap done: 1 IP address (1 host up) scanned in 18.19 seconds
> > > >
> > > >
> > > > If I use the python detection script, it pulls back 64k of memory..
> > > > So I know the site is affected by it.
> > > >
> > > > Any ideas?
> > > >
> > > > Thanks
> > > > _______________________________________________
> > > > Sent through the dev mailing list
> > > > http://nmap.org/mailman/listinfo/dev
> > > > Archived at http://seclists.org/nmap-dev/
> > >
> > >
> > >
> > > --
> > > Patrik Karlsson
> > > http://www.cqure.net
> > > http://twitter.com/nevdull77
> > > http://www.linkedin.com/in/nevdull77
> > > _______________________________________________
> > > Sent through the dev mailing list
> > > http://nmap.org/mailman/listinfo/dev
> > > Archived at http://seclists.org/nmap-dev/
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/