A missing boundary check in the TLS Heartbeat extension in OpenSSL can be abused by remote attackers to read up to 64 kb of memory from the server. This memory disclosure vulnerability can be used by remote unauthenticated attackers to obtain sensitive information from the affected server, including private keys and session cookies. This module will check if the target machine is vulnerable and it will try to dump memory contents to the Module Log window. This memory dump may contain sensitive data, as explained above.
This module exploits a vulnerability in the OpenSSL library, which is used by Apache if HTTPS support is provided. OpenSSL versions 0.9.7-beta, 0.9.7, 0.9.7a and 0.9.7b are affected. The corresponding OpenSSL advisory states: "Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure". This module triggers this deallocation and abuses the dynamic memory allocator of vulnerable Linux systems in order to execute arbitrary code. This module can not be launched from an agent.
This module exploits a vulnerability in the OpenSSL library. OpenSSL versions 0.9.7-beta, 0.9.7, 0.9.7a and 0.9.7b are affected. The corresponding OpenSSL advisory states: "Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure". This module triggers this deallocation and abuses the dynamic memory allocator of vulnerable Linux systems in order to execute arbitrary code. 3 different attack methods are available: - Known-targets: this method will attempt to exploit the remote server using the parameters of the built-in known-targets. Since this method will be carried out quickly, it is the first one that should be tried. - Stack at 0xc0000000: this method will try to brute-force the stack until the correct return address is found. This method can take a very long time, but will stop as soon as it considers that the correct return address could not be found. - Stack at 0x80000000: this method is similar to the previous one and should only be tried if the previous methods failed. The stack of most of the Linux systems is indeed located at 0xc0000000, but in some rare cases it can be located at 0x80000000.
This exploit abuses an integer overflow condition present in sshd's authentication for bsdauth and skey authentication modes. After successful exploitation an agent will be deployed. The agent will be installed with root privileges. Tests performed in our lab required up to 1 hour to find the needed address in the raw brute forcing mode.
The vulnerability is caused due to a boundary error within the authentication process. This can be exploited to cause a stack-based buffer overflow by sending an overly long, specially-crafted password to the affected server.
Subscribe to Impact