TÌM HIỂU TẤN CÔNG HEARTBLEED
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.03 MB, 34 trang )
Giáo viên hướng dẫn: KS. Nguyễn Văn Nghị
Nhóm thực hiện :
Lớp :
Hà Nội, tháng 3 năm 2015
Nhóm 6 – Tìm hiểu tấn công HeartBleed
!"#
2
Nhóm 6 – Tìm hiểu tấn công HeartBleed
$$
3
Nhóm 6 – Tìm hiểu tấn công HeartBleed
$%
4
Nhóm 6 – Tìm hiểu tấn công HeartBleed
&'(
!"#$%&% '()*
)&!+,$-"#%& &/&-0
1 $/23 +4-$56%$7
&'$)*)&5#0 )8-90$5(
): 3 /;:8-(+4%</
-=&72(>2%:$/23 - /1
$+
?9>2%:$9:<@%&$
A-2>2$): (-5#0 8
-0$5(): B(+C-2("D)8>'
EFF,-9<(5 /1&&2(-
"D)8'@%&: 3 2+G-): 5"H-@%&
(;-9-2>2";&+I 0(JK)-@-1&
“Tìm hiểu tấn công heartbleed” )thầy Nguyễn Văn Nghị )L+M')
N-O(OP!Q
)*+,-.-)/0,1234)*+,-4)5467,18,-)9:;6<=99>?@A<B-/:A6)21
CCDC.R!&/: !(0$>)%&>'E
FF,SC,F
)*+,-.@/EF6?@6)G1)/H,67,18,-9:;6=99>.R!&/7
>&/%0-1!>2%1&-=%&;:0$TU)+
5
6
IJ.#KLIJL"L
M
KCCDC
NONO7,18,-9:;6=99>
1.1.1. Tấn công OpenSSL dựa trên lỗ hỗng Heartbleed
T>))V&W(X( Y&'Z%1>2<
%:<@)@ O[\FF,%:&/-"D)8'
@-9(9E>2< /12]C,F^+,Z
.&/&53 2N%: &595DK
_['>C,F+C_>& O6
NZ.>)+,Z.&/`-6!0/
-$><Q5N(/N5"%&<
5a N"D)8+M1 !3 >2< /
-@-2>(%&%0>2<-6%3 2V:
6%1Z&/+
1.1.2. Quá trình phát hiện
C_['T>(EC,F%&4C,F&'
>' a-$289bcRdePf$>6%&(P_
PfgP+M`)*)&59%&(W"6Y]%^(
5$>2<&5$2&h <Z
56+
M_Pfggb>F?4 "> ij""-@
(9 _ [ ' T> >' %: @ O [
\FF,+F 5F/ -_&/N7%&
\FF,/ N$-@-FM+T"'>6&
(9N\FF,&`-((+T"-@5$
(:Z3 (7(9NF%&-@--@
O5$&:&/%&%:@ O[N\FF,%&
&/kg(gP_Pfgg+?@EZ.>2<&/-"D
)8'@>2\FF,g+f+g&/gl(k_PfgP+
C_>-5%&& /mm/(
>2\FF,EZ.>2<T>)+
M&%>2<N$/n-@$>6Z
.T>)%&&/g(l_Pfgl+,Z.&/5`Z
7
5DK>');:_['T>m/
+?6!9_o$-dlGUJ>'NE
)8%Z;:&>+
,Z.)'5p"$/R)'$/
Nq,-=-Oo%(X( +T-@0/
1&T>)+A2Z&/$+
1.1.3. Phương pháp tấn công và khai thác lỗ hổng
L)*+,-6)21)AP6EB,-1Q:6R,),S,-9:;6<9:66;0,C
T>&!-5-956C,FS4C,F]'
a$:& '5-@
%&"%^&5$'5%7(N85
3 FF,SC,FE%&01 +C$-:T>b3 "
-DJ"%>O): r/%&-')&N)
: +F%<-$-:&/"H2D()
: / ]7g+g^Q
Hình 1.1. Heartbeat request (dạng bình thường)
8
C$-:T>3 "0 " Q
struct {
HeartbeatMessageType type;
uint16 payload_length;
opaque payload[HeartbeatMessage.payload_length];
opaque padding[padding_length];
} HeartbeatMessage;
C0 &/7-')&): payload_length 6-&gdi>
")E&T>3 "9/ "%2):
9 dlGU+ R -1 &/ & / m m/ Z .
T>)+
+1)T4)56U/,)=V)W,-9:;6<=99>
,Z.&/->o OJ&tls1_process_heartbeat/dtls1
_process_heartbeat Es ssl/t1_lib.c %& ssl/dl_both.c N
%:\FF,+
M') N&Q
“dtls1_process_heartbeat/dtls1_process_heartbeat”:
int dtls1_process_heartbeat(SSL *s){
unsigned char *p = &s->s3->rrec.data[0], *pl;
unsigned short hbtype;
unsigned int payload;
unsigned int padding = 16; /* Use minimum padding */
/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
pl = p;
if (hbtype == TLS1_HB_REQUEST)
9
{
unsigned char *buffer, *bp;
int r;
/* Allocate memory for the response, size is 1 byte
* message type, plus 2 bytes payload length, plus
* payload, plus padding
*/
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;
/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);
bp += payload;
/* Random padding */
RAND_pseudo_bytes(bp, padding);
r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
if (r >= 0 && s->msg_callback)
s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
buffer, 3 + payload + padding,
s, s->msg_callback_arg);
OPENSSL_free(buffer);
if (r < 0)
return r;
}
736;X1<Y,-)/1Q:CCDC.
typedef struct ssl3_record_st {
int type; /* type of record */
unsigned int length; /* How many bytes available */
unsigned int off; /* read/write offset into 'buf' */
unsigned char *data; /* pointer to the record data */
unsigned char *input; /* where the decode bytes are */
unsigned char *comp; /* only used with decompression - malloc()ed */
unsigned long epoch; /* epoch number, needed by DTLS1 */
unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
} SSL3_RECORD;
U2FF,%k&/>Ok&Qtypelength%&data+
GD"%$-:T>3 "Q&data
10
>2FF,%k&"%<-&): &T>3 "+
Rhp-)r>["%-9DK>2&/0 7=-V
"Hh>/- >2&/0 -$2" Q
F% "H & D K / % - ) &
dtls1_process_heartbeatQ
/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
pl = p;
U)t:"H(>/- N>2FF,%k&T>/+
T&P""H0/P>/Jh%&-=%&/)+?m/&-')&
-5>(T>3 "]KA-')&&/>2
FF,%k5$-59r%-')&;NT>
)T>3 "/5$^+G3 2)t:Ek&h
"Hh%&&T>)-$2" Q
I`-)Q
unsigned char *buffer, *bp;
int r;
/* Allocate memory for the response, size is 1 byte
* message type, plus 2 bytes payload length, plus
* payload, plus padding
*/
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;
/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);
11
?)&/'2-'> ss/&0 N
T>""%&50&
g P deeke gd+ + +
+G-
h>-h%&> ss%&)r-9$%&> ss+U/
- -%&> ss"H&T>/QC,FguTUubjFq\MFj+
T&"P7%&P""H0/gd>(V/)-=%&
P>/"N> ssT&/]>/)^"H;:"
`(>//)J%&>]E&"`&>'T>)N
T>3 "^+
?1 7"H2/ -')&;NT>)5$>A
%-')&/)u-5>(T>3 "v
M /)u!7&/"H"`2)
: /" T>)>'--'N
7+
M%</59)rT>3 "%%:5-')&
payload _6-&dlGU"%790/-$
><>'-'N"%+?m/&Z.T>)
]7g+P^Q
12
Hình 1.2. Tấn công Heartbleed
)Z,-6)8,-6/,;[;\]3:=V)W,-
U'& payload T>3 "hB&>'
&\FF,)r-9 $><5(Q
• GN"%-"D)8')&+
• GC,F+
• 4: ><Q<5a +
• F""4])@/(V^+
M%</%0$$3 Z.T>)759
-$><&/+
13
1.6.4. Giải pháp khắc phục và ngăn chặn tấn công
/^_6;:EB>@/6)G16T1Q:9:;6<9:6>:6:]"D" )^
if (1 + 2 + 16 > s->s3->rrec.length)
return 0; /* silently discard */
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
`,-174=0,4)/0,<Y,_a/NObON-EcE*d1?5=V)W,-9:;6<=99>O
C_T>->." %&%:\FF,JfkSPfgP+
w7%</(>2\FF,JfkSPfgP-flSPfgl"H>V
2[J>2\FF,g+f+g-@-%(Z.Q
• \FF,g+f+gg+f+gs>V2[+
• \FF,g+f+g-@%(Z.5$>V2[+
• \FF,g+f+f%&(>2B!5$>V2[+
T>)5$2&Z.EFF,SC,F&&Z
<7%:@ O[\FF,+w7%</95x-V
AEFF,SC,F&5$>V(%y%&%L-& a
%&%:@$-9 /1-((
N@>2<F/+C /!ddz{>"& "D
)8%:\FF,%&01 {>"-"D)8>2B
\FF,]J>2g+f+gg+f+gs^ /!>V0$5(
Z.T>)+R/ -=&($/<</
<E>20N\FF,&>2g+f+g-@-%(Z
.T>)="D)8>25$>V2[>[Z
.&/+
14
IJ.ef
,Z.T>)9-5(5V>25(
Q0$)V%8{>&0$)V%8-:D&
=0$$7295>[1\wqM+
M') !&/7>&/%:&-=%&;:0$T>)
-90$)V%8{>&>O(') " Q
• $7&-=%&;:0$+
• R&-=(/N{>+
• R&-=(/+
• C;:0$5(Z.T>)+
gONO8)h,)1@/EF6?@6)G1)/H,67,18,-
T7P+g+$7&-=%&;:0$T>)
C7P+g(/N/:-1 &R\Fd+e-&-=>'
@ O[\FF,5$5Ief| 0)V%8{>
&]"^ %&4MF"%+(//:-1 &}){Iq
-&-=7) /:cs-9"D)8)V%8{>J(/N+(/&
15
-= 0 $ / : -1 & }~ - & -= $ 8
OpenSSLHeartbleedExploit.exe-90$%&5($>
<>'b•N(/N+
gOgO@/EF6_5i1)Q
2.2.1. Thi@t lAp cấu hình mBng
C<0 7q€(/N}><ssi
f
#vi/etc/sysconfig/network-scripts/ifcfg-eth0
R!7;:" Q
DEVICE=eth0
HWADDR=00:0C:29:D3:EB:B0
TYPE=Ethernet
UUID=456dd9e1-1772-4cbf-ba0f-81c0710394e0
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=192.168.2.10
NETMASK=255.255.255.0
DNS1=8.8.8.8
IPV6INIT=no
USERCTL=no
2.2.2. Thi@t lAp cấu hình dịch vụ DNS
C<0 7<)+s>A("D)8m :Q
#vi /etc/named.conf
R!7;:" Q
16
options {
listen-on port 53 { 192.168.2.10;127.0.0.1;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
C<0 7(<• <%&•V1
{{{+"+Q
• ‚ <test.db-5>(< /var/named/test.db" Q
17
$TTL 1D
@ IN SOA test.com. (
2014111301 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ); minimum
IN NS test.com.
IN A 192.168.2.10
www IN A 192.168.2.10
• ‚Vtest.nghich-5>(</var/named/test.nghich
" Q
$TTL 1D
@ IN SOA test.com. (
2014111301 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS test.com.
10 IN PTR test.com.
10 IN PTR www.test.com.
R0 7 & -= name server (/ N }> <
/etc/resolv.confQ
nameserver 192.168.2.10
G[/)V%84MF>Am :service named start .
G9-'N)V%84MF-@&-=$3 m :Q
# nslookup test.com
Hình 2.2. Kiểm tra dịch vụ DNS
18
M%</)V%84MF-@-&-=&$+
2.2.3. Thi@t lAp Web site chFa lỗ hổng bảo mAt heartbleed
C8E{>"Q
#mkdir /var/www/html/web
C$ 3 $ 8 vi ( {> index.php,
authenticate.php, backend.php, database.php, process.php, logout.php
8/var/www/html/web+M') ({>&/88g+
G9("")u""-@-&-=(/N{>
>A(m :" Q
#rpm –qa | grep ‘openssl’
#rpm –qa | grep ‘mod_ssl’
Hình 2.3. Kiểm tra các gói cài đặt openssl và mod_ssl
M%</(/N{>-@-&"ƒ(""%&)u""+
n""-&-=[-m/&>2g+f+g)Z.>2<
T>)+
C5$5bF•Pfl„>(/N{>>Am :Q
#openssl genrsa –des3 –out ca.key 2048
Hình 2.4. Tạo khóa công khai cho máy chủ web
19
C'RsFb3 "]RFb^5%"%5/%J
>Am :Q
#openssl req –new –key ca.key –out ca.csr
Hình 2.5. Tạo chứng chỉ số tự ký
C'EX"6RsQnD<+"-R•-5K
…")" 5-5K%&2%1<"H['++?=
EX-@@%&!&r%!E5+
#openssl x509 –in ca.csr –out ca.cert –req –signkey ca.key –days 365
Hình 2.6. Tạo một chứng chỉ số được ký bởi CA trong hạ tầng khóa công khai
X509
20
RX"D</etc/httpd/conf/httpd.conf
NameVirtualHost 192.168.2.10
<VirtualHost 192.168.2.10>
ServerAdmin
DocumentRoot /var/www/html/web
ServerName www.test.com
ErrorLog logs/test.error
CustomLog logs/test.log combined
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
</VirtualHost>
RX"D</etc/httpd/conf.d/ssl.conf
DocumentRoot "/var/www/html/web"
ServerName *:443
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
G[-')V%8>[:service httpd restart
G9 %: & -= " >A %: / < %& {>Q
Hình 2.7. Giao diện trang web:
M0 '%&>9 5-VX-9>'@)r
-9>2%:- /1): Q
21
Hình 2.8. Tham số an toàn bảo vệ www.test.com
U0†w{Rs‡-9EX"6N(/N{>Q
Hình 2.9. Chứng chỉ số của máy chủ web www.test.com
22
2.2.4. Cài đặt cơ sở dữ liệu cho trang web www.test.com
?_<%&/Fˆ,F%>Am :Q
#mysql –u root –p
G-_<mysql"H/ )r-=<5a &52
root+‰-m/7&52root"H--=<5a &†123456’+
Hình 2.10. Đăng nhập vào MySQL Server
C!"[): test{>{{{+"+%&!"[)
: &/E'>2userE$)r>Ousername%&
password$3 (:Q
mysql>create database test;
mysql> use test;
mysql>create table users(id INT(10) UNSIGNED NOT NULL
AUTO_INCREMENT, username VARCHAR(200) NOT NULL, password
CHAR(200) NOT NULL, PRIMARY KEY(id));
R& -= $ 8 3 2 K q/•)+ C & -=
q/•)Q
#yum install phpmyadmin
q/•) - & -= & $ 5 -_ < - %&
"S/)7k+gf+ˆ (7-_<"H"D)8&
52root%&<5a &123456N/Fˆ,F%+
23
Hình 2.11. Cài đặt PhpMyAdmin thành công
C$')r‘trung’%<5a &‘123456’%&
>2userN!"[): test>Aq/•)+C8†"‡
N!"[): "&-1$)r7k+gg
†n‡-9&&+
Hình 2.12. Thêm người dùng vào cơ sở dữ liệu
24
G6!"[): Q:7{{{+"+5$
3 7(!"[): /Fˆ,F%+w7%</-9{{{+"+
"D)8-!"[): "/Fˆ,F%72'
56&/var/www/html/database.php') " Q
<?php
////////// Database Connection ///////////
// MySQL information MODIFY IT HERE.
$db_name = "test"; // Database Name
$host = "localhost"; // Database host (probably won't change)
$db_user = "root"; // Database username
$db_password = "123456"; // Database password
$dbconnect = mysql_connect("$host", "$db_user", "$db_password");
// Database Connection DON'T MODIFY
if (!$dbconnect) {
echo( "<p>Unable to connect to the database server at this time.</p>");
exit();
}
if (! mysql_select_db("$db_name") ) {
echo( "<p>Unable to locate the database at this time.</p>");
exit();
}
?>
G[/)V%8/"3>Am :service mysqld restart+G9
%:56!"[): >A( /<"QSS{{{+"+%&
-_<%username &†trung’%&password&†123456’+
25
