I have been playing with the Python implementation of Heartbleed on a couple of servers and got all sorts of data in response.
Amongst the data received, I have seen:
- Cookies values (SESSIONID, etc)
- Random characters that make no sense
- HTML
- ...?
I know I'm being a script kiddie here but anyway, I was wondering where this data comes from (RAM?) what apps put the data there (apache? openSSL?) and generally hoping to get a broader picture of what is going on.
Any help?
According to heartbleed.com, a vulnerable machine can leak 64kb of memory contents per heartbeat request, but an attacker can make those requests arbitrarily many times. I've seen comments to the effect that an attacker could theoretically recover enough data to fully reconstruct the RAM contents of the target machine - or, at least, however much of it Apache (or whichever program is involved in the SSL session) could see. That can include, for example, cookies, files that are being served, and from data coming in - especially usernames and passwords.
One particular problem is that any process doing SSL needs to have enough information to decrypt incoming data and sign outgoing data - that is to say, the private key. Leaking that opens you to MITM attacks and potentially (not always) retrospective decryption of intercepted data. The potential for keys to leak undetected is why the advised response is to patch OpenSSL and then rekey - patching OpenSSL protects you against future attacks, but you have no way of knowing whether your encryption keys are already compromised.