Collaborate Disseminate
How can an attacker send a bogus Heartbeat request as per the TLS extension addressed in RFC 6520 without hijacking the TLS connection altogether? RFC 6520 states:
The Heartbeat protocol is a new protocol running on top … Continue reading TLS heartbeat request and Heartbleed how?
As you may already know old Openssl versions were vulnerable(OpenSSL 1.0.1 through 1.0.1f (inclusive)) by the HeartBleed vulnerability. Currently our server is running Tomcat7 which is built in a vulnerable Openssl, so we upg… Continue reading Should I regenerate SSL certificates after upgrading Openssl
My understanding is that ASLR randomly arranges the key data areas of a process, and so reading contiguously above a buffer as is done in heartbleed would not be enough to achieve the exploit.
A race condition occurs when two or more threads access shared data and try to do so at the same time.
The Heartbleed attack is a vulnerability in OpenSSL, where a Client sends heartbeat requests to a Server. The heartbeat … Continue reading What is the race condition in the Heartbleed attack?
I am working on a Heartbleed example exploit. I was able to set the server up with an older version of Apache and OpenSSL and the server is infact vulnerable. However, when leaking the information, the only information that’s… Continue reading How can you influence what will be leaked by Heartbleed?
The Nmap script for HeartBleed (using Nmap v7.40) seems to work only over known ports. Whenever a non-standard port is used, the script does not report anything.
nmap -p 46000 –script ssl-heartbleed -script-args vulns.showa… Continue reading Nmap HeartBleed script does not seem to work over non-standard ports
Oracle pushed out an emergency update for vulnerabilities dubbed ‘JoltandBleed’ affecting five of its products that rely on its proprietary Jolt protocol. Continue reading Oracle Issues Emergency Patches for ‘JoltandBleed’ Vulnerabilities
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
SSL Vulnerabilities Detected by A2SV
Planned for future:
Installation & Requirements for A2SV
A.
Continue reading A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
Whenever there’s a new Windows virus out there wreaking global havoc, the Linux types get smug. “That’ll never happen in our open operating system,” they say. “There are many eyes looking over the source code.” But then there’s a Heartbleed vulnerability that keeps them humble for a little while. Anyway, at least patches are propagated faster in the Linux world, right?
While the Linuxers are holier-than-thou, the Windows folks get defensive. They say that the problem isn’t with Windows, it’s just that it’s the number one target because it’s the most popular OS. Wrong, that’d be Android for the last …read more
Continue reading Free as in Beer, or the Story of Windows Viruses
Your daily round-up of some of the other stories in the news Continue reading News in brief: Update Flash now; Heartbleed fine; the $1.9m email