Full Disclosure mailing list archives
Re: heartbleed OpenSSL bug CVE-2014-0160
From: * <turmoil () privacyrequired com>
Date: Wed, 09 Apr 2014 22:42:05 -0700
Passwords could easily be found with servers that would have many logins, for example mail.yahoo.com. Here's what a small sample of such a login looked like using one of the python PoCs that were available: ---------------- }]..Connection: keep-alive..Cont ent-Type: applic ation/x-www-form -urlencoded..Con tent-Length: 96. ...username=john niedoe123%40gmai l.com&password=s upersecret123&re member=remember& submit_form=Sign +in..E5.....dJ.. ---------------- besides passwords though, one could also get cookies and session data. On 09/04/14 18:32, craig () rideaunetworks com wrote:
On April 8, 2014 10:21:34 AM Matthew Musingo wrote:Even if your systems were patched an attacker could have already attained the secrets. Certs and other sensitive information need to be reconsidered for replacement or changedHow realistic is it that an attacker would be able to glean passwords through this vulnerability? Programatically searching through 64k memory dumps for certificates seems plausible, but looking for passwords does not. A password is of no pre-determined length or format. So unless you know what strings are wrapped around it (and those strings are reliably presented), isn't the loss of some types of sensitive information.... unlikely? Cheers. Craig
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: heartbleed OpenSSL bug CVE-2014-0160, (continued)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Manuel Tiago Pereira (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Schmidt, Michael (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Afonso Araújo Neto (Apr 11)
- Message not available
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ricardo Iramar dos Santos (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 HaCKsPy (Apr 11)
- Andrew "Weev" Auernheimer's Conviction Thrown Out g () 1337 io (Apr 11)
- Re: Andrew "Weev" Auernheimer's Conviction Thrown Out Jeffrey Paul (Apr 11)
- Re: Andrew "Weev" Auernheimer's Conviction Thrown Out Groundworks Technologies Advisories (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Michal Zalewski (Apr 11)