Re: [NSE] SSL Heartbleed

[Daniel Miller <bonsaiviking () gmail com>]

On 04/14/2014 04:20 AM, HD Moore wrote:
> One thing that can cause the process to crash is the current utilization of
> the server and number of active connections. If you run the heartbleed PoC
> in a loop against an Apache HTTPD (mod_ssl) server, all is well. If you also
> run Apache Bench (ab) against the same server while the PoC is running,
> Apache starts to report segfaults. This boils down to how the freelist is
> used and what memory is leaked once all of the freelists are full (you end
> up reading off the end of the heap and crashing). The difference you see in
> "root" vs regular user may be attributed to the current load and heap state
> of the process. There is always a chance that this test is going to crash
> the process and your best bet is to leak as little memory as possible for
> the vulnerability check (1 byte).
>
> -HD

hdm,

I quite agree theoretically, which is why I reduced the request in the 
first place to the lowest that openssl s_server would respond to (on my 
system), 0x0fe9 bytes. But this value doesn't work against (for 
instance) the server at www.cloudflarechallenge.com. For that system, 
0x3fe9 bytes were needed to elicit a response. I really have no idea 
about the memory state of the target processes, so I can't answer *why* 
this is the case, but for now, requesting 0x4000 is the best we can do.

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/