indutny: your sibling comment is dead because it's the exact same text as your previous comment, and HN code killed it as a double-post. https://news.ycombinator.com/item?id=7576670 <- from 3 days ago lol
Thanks for publishing. FWIW I tried your tools, and it said my server Nginx HTTPS was vulnerable, but I couldn't get any keys out of it. I created a 180MB dump file, and then scanned it, and it finished without finding keys (and I repeated this again)
This also failed, and it actually said my server was likely not vulnerable?
I compiled my own Nginx, (but not my own SSL, that came from Debian 7.0 Wheezy)
Linux ... 3.9.3-x86_64-linode33 #1 SMP Mon May 20 10:22:57 EDT 2013 x86_64 GNU/Linux
OpenSSL 1.0.1e 11 Feb 2013
I just upgraded the Debian libssl1.0.0 package, and now your code says I am safe. I see there is the len(all_data) > 24 check.
Should compiling my own Nginx have any effect on whether the exploit works? I would think not, but 2 different exploits failed (although maybe I didn't run it long enough).
FWIW it was Nginx 1.0.12.
EDIT: FWIW, now that I read Cloudflare's results, they think the Nginx server is only vulnerable shortly after being restarted. My server was running for months, which may have explained why it wasn't vulnerable. Oh well.
No, the primes (and thus key) can be retrieved at any time, but it may be more frequently found right after reboot.
I would recommend you to gather at least a gigabyte before digging for the key - preferably more. I dumped 43 GB from CloudFlare on Sunday, and found the prime 194 times in that dump. It can be found in much less time, however. Here's a test I just did against the CloudFlare server, resulting in the full prime 34 times in 60 seconds: https://twitter.com/einaros/status/456136820913238016
The code from the second posted you noted (https://news.ycombinator.com/item?id=7577659) isn't mine. That one builds off of the original Python PoC, which fails for a lot of configurations.
The Github code is the first publication I've done. Let me know if you see a server that's vulnerable, that the Github code fails to detect.
Doing realtime prime detection is trivial in mine as well. Either pipe the outfile or add to the lib. I didn't write the dump tool with keys as primary target; they just happened to be there.
Sorry, my comment may have come across as an unnecessary criticism of your technique rather than how I intended it - as mentioning a shortcoming of my program in not saving all data received, and that you may be able to get some interesting results from your dump by searching for other key data and in different formats.
On other hand - you could try using my tool, and keep it running up until it'll find the key. It doesn't collect any dumps and does all processing in a real time.
I didn't actually write mine to collect primes :) I'm working with data dumped from other network devices, and for the most running various Yara rules during and after collection.
It doesn't link for me on Ubuntu 13.10. I wasn't going to be too hard on a quick project for being unportable, but a broken build tool makes it difficult to get working anywhere.
> This is tricky. This uses the ssl3_write_bytes() function in order to send heartbeats encrypted after the SSL handshake is complete. This function is sometimes exported in OpenSSL libraries, and sometimes not.
> If that's the trouble, then you have to download and build OpenSSL, then link this tool with their object files. I did this by doing:
git clone git://git.openssl.org/openssl.git
cd openssl
./config
make depend
make
gcc ../heartleech/heartleech.c libcrypto.a libssl.a -ldl -o heartleech
> This is evil, because I'm simultaneously linking to the local libraries and the system libraries for OpenSSL, but it seems to work without too much trouble.
Sorry if I wasn't clear, but I did try that. Result: http://pastebin.com/mM3G7NgX I finally got it working by using instructions from a different heartbleed PoC:
Nice. To speed things up, you could look for 128 byte malloc'ed chunks with a 16 byte header of "xx xx xx xx 90 00 00 00" or "xx xx xx xx 91 00 00 00" (for a 2048 bit modulus).
Looks to me like OpenSSL caches the modulus for Montgomery multiplication and that's where the primes in higher memory are coming from (see rsa_eay.c around line 774).
