Heart Bleed is turning out to be one of the worst bugs to hit web. While sys admins every where have been rushing to fix the web facing servers. Worst of it was thought to be mitigated by patching the servers and loadbalancers that terminated the SSL connections. It has now been demonstrated that clients that use openssl is also effected and these include
- MariaDB 5.5.36
- wget 1.15 (leaks memory of earlier connections and own state)
- curl 7.36.0
- git 1.9.1 (tested clone / push, leaks not much)
- nginx 1.4.7 (in proxy mode, leaks memory of previous requests)
- links 2.8 (leaks contents of previous visits!)
- links is a great example that demonstrates the effect of this bug on clients. It is a text-based browser that leaks details including headers (cookies, authorization tokens) and page contents
A malicious server can take advantage of this and copy the memory contents from an unsuspecting client memorys as demoed here
here I am trying to load a Image from one of my servers that has social media content then after i load the page i connect to a malicious server that tries to exploit this bug.
As you can seen I am able to get exif data of the loaded image and partial content of image.
Here is another demo where by i try to connect to maybanklogin page. then connect to my malicious server. As you can see I am able to get the header passed by the page and partial content of the page too
Please do note this is not a bug on server side but a bug on client side so go and update your OpenSSL library asap. You can get the demo code from https://github.com/Lekensteyn/pacemaker
It was one of those rare quiet morning in office (touch wood) when Naail @kudanai (http://www.kudanai.com/) pinged me about a interesting problem he had. He asked me for suggestion on scraping IGMH doctors duty roster from this ancient looking aspx page. At the time he had google app engine app and He was attempting at the time to use YQL to rangle the data out of the page as the page was being served out of a non standard port on the server wich appengine did not like.
I suggested to him to port the app over to django proper and move the whole application over to my server. To this end we ported app over to django added some fancy (ie: stupid) caching so that we dont kill the poor server we were scraping the data from front end is built on jquerytouch and compass. API stubs are also available to any one who want to get some some sane looking data for their own apps. For access ping Naail or me (@NashRafeeg).
To to try it out for yourselves, visit: http://igmh.dot.my
For how we got started on this endeavor hit up http://www.kudanai.com/2012/08/igmh-mobileweb-app-open-for-testingusage.html