Heart Bleed is turning out to be one of the worst bugs to hit web. While sys admins every where have been rushing to fix the web facing servers. Worst of it was thought to be mitigated by patching the servers and loadbalancers that terminated the SSL connections. It has now been demonstrated that clients that use openssl is also effected and these include
- MariaDB 5.5.36
- wget 1.15 (leaks memory of earlier connections and own state)
- curl 7.36.0
- git 1.9.1 (tested clone / push, leaks not much)
- nginx 1.4.7 (in proxy mode, leaks memory of previous requests)
- links 2.8 (leaks contents of previous visits!)
- links is a great example that demonstrates the effect of this bug on clients. It is a text-based browser that leaks details including headers (cookies, authorization tokens) and page contents
A malicious server can take advantage of this and copy the memory contents from an unsuspecting client memorys as demoed here
here I am trying to load a Image from one of my servers that has social media content then after i load the page i connect to a malicious server that tries to exploit this bug.
As you can seen I am able to get exif data of the loaded image and partial content of image.
Here is another demo where by i try to connect to maybanklogin page. then connect to my malicious server. As you can see I am able to get the header passed by the page and partial content of the page too
Please do note this is not a bug on server side but a bug on client side so go and update your OpenSSL library asap. You can get the demo code from https://github.com/Lekensteyn/pacemaker