TechReport forum vulnerable to HeartBleed (FIXED)

Hang out, sip some ice tea, and shoot the breeze with TR regulars.

Moderators: emkubed, Captain Ned

TechReport forum vulnerable to HeartBleed (FIXED)

Postposted on Tue Apr 08, 2014 8:49 am

The TechReport forum is vulnerable to HeartBleed!

Assume your password here is compromised. If you have the same password elsewhere change it!

If anyone can get a TechReport admins attention, please alert them - they have a vulnerable openSSL implementation which leeks data from server memory. (HeartBleed bug. CVE-2014-0160)
owmcyehs
Gerbil In Training
 
Posts: 3
Joined: Tue Apr 08, 2014 8:43 am

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 8:55 am

I see https://techreport.com/ is also used for subscription payments and accounts. This server is vulnerable. Please patch ASAP.
owmcyehs
Gerbil In Training
 
Posts: 3
Joined: Tue Apr 08, 2014 8:43 am

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 9:07 am

I'm not an SSL expert, but this appears to be legit:

https://blog.ipredator.se/2014/04/how-t ... leeds.html

My results when running the command:
Code: Select all
HEARTBEATING
write to 0x1df0a70 [0x1dfa5a3] (85 bytes => 85 (0x55))
0000 - 18 03 02 00 50 e9 dc 8d-92 98 ad 4d 73 85 f4 cf   ....P......Ms...
0010 - a1 98 9f 62 7e 48 75 c1-6a ff 8b 81 f9 1c 07 a5   ...b~Hu.j.......
0020 - 8e 37 d7 cf 85 f9 45 d2-db 3d cd cd 11 51 3b 44   .7....E..=...Q;D
0030 - fc 09 d6 80 5c eb f3 18-ca 0d 51 0b 40 bb 0a 95   ....\.....Q.@...
0040 - a2 ae 4c c2 3e ae 29 22-f5 a2 df 4f d5 18 0f 71   ..L.>.)"...O...q
0050 - 56 d2 81 29 08                                    V..).
read from 0x1df0a70 [0x1df6053] (5 bytes => 5 (0x5))
0000 - 18 03 02 00 50                                    ....P
read from 0x1df0a70 [0x1df6058] (80 bytes => 80 (0x50))
0000 - 8e c4 b2 72 4d 3a 39 ca-ab 83 02 c4 1a 6f dc 10   ...rM:9......o..
0010 - 5d eb 31 77 a6 fa cd 54-27 42 b6 51 9d 1a 3f 57   ].1w...T'B.Q..?W
0020 - e9 0f 6b 2f 28 08 9f b5-0d 9c 49 e9 50 9a 28 67   ..k/(.....I.P.(g
0030 - 70 9a f4 6b a4 46 cf ab-3e 8c 5f c0 b1 50 72 a6   p..k.F..>._..Pr.
0040 - d7 28 92 05 96 ba 27 ee-d4 b6 64 7e d3 17 c2 64   .(....'...d~...d
read R BLOCK


From my limited understanding, a non-vulnerable host wouldn't have sent a "read from" response.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3171
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 9:18 am

bthylafh wrote:I'm not an SSL expert, but this appears to be legit:

https://blog.ipredator.se/2014/04/how-t ... leeds.html

My results when running the command:
Code: Select all
HEARTBEATING
write to 0x1df0a70 [0x1dfa5a3] (85 bytes => 85 (0x55))
0000 - 18 03 02 00 50 e9 dc 8d-92 98 ad 4d 73 85 f4 cf   ....P......Ms...
0010 - a1 98 9f 62 7e 48 75 c1-6a ff 8b 81 f9 1c 07 a5   ...b~Hu.j.......
0020 - 8e 37 d7 cf 85 f9 45 d2-db 3d cd cd 11 51 3b 44   .7....E..=...Q;D
0030 - fc 09 d6 80 5c eb f3 18-ca 0d 51 0b 40 bb 0a 95   ....\.....Q.@...
0040 - a2 ae 4c c2 3e ae 29 22-f5 a2 df 4f d5 18 0f 71   ..L.>.)"...O...q
0050 - 56 d2 81 29 08                                    V..).
read from 0x1df0a70 [0x1df6053] (5 bytes => 5 (0x5))
0000 - 18 03 02 00 50                                    ....P
read from 0x1df0a70 [0x1df6058] (80 bytes => 80 (0x50))
0000 - 8e c4 b2 72 4d 3a 39 ca-ab 83 02 c4 1a 6f dc 10   ...rM:9......o..
0010 - 5d eb 31 77 a6 fa cd 54-27 42 b6 51 9d 1a 3f 57   ].1w...T'B.Q..?W
0020 - e9 0f 6b 2f 28 08 9f b5-0d 9c 49 e9 50 9a 28 67   ..k/(.....I.P.(g
0030 - 70 9a f4 6b a4 46 cf ab-3e 8c 5f c0 b1 50 72 a6   p..k.F..>._..Pr.
0040 - d7 28 92 05 96 ba 27 ee-d4 b6 64 7e d3 17 c2 64   .(....'...d~...d
read R BLOCK


From my limited understanding, a non-vulnerable host wouldn't have sent a "read from" response.


Yes. The data comes from the address space of the process using openSSL. This is often Apache.
So what leaks is whatever Apache is working on - including requests from other users with private cookies and maybe login details. Also possible to leak the private key details from openSSL.
owmcyehs
Gerbil In Training
 
Posts: 3
Joined: Tue Apr 08, 2014 8:43 am

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 9:38 am

You sure it's not an NSA requirement ;)
Life doesn't change after marriage, it changes after children!
anotherengineer
Gerbil Elite
 
Posts: 567
Joined: Fri Sep 25, 2009 1:53 pm
Location: Timmins, ON Canada, Yes I know, Up in the sticks

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 9:40 am

Nice responsible disclosure... now anyone who can package a attack can take over the forums. way to go.... /slow clap/
Cybert said: Capitlization and periods are hard for you, aren't they? I've given over $100 to techforums. I should have you banned for my money.
maxxcool
Gerbil Elite
Silver subscriber
 
 
Posts: 650
Joined: Thu Sep 12, 2002 8:40 am
Location: %^&*%$$

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 9:45 am

We've released a statement on this issue here on the frontpage.

Copy/pasting the relevant text:

Tech Report wrote:We've updated the version of OpenSSL running on TR to address the problem. According to the Heartbleed test, we are no longer vulnerable.

However, if you have an account here, we strongly recommend updating your password. We cannot guarantee that some user passwords haven't been sniffed. If you use the same password on another site, it may be a good idea to change it there, too—so long as that other site doesn't fail the Heartbleed test.

Credit card information for subscribers was not compromised. That information never traveled through our servers, nor was it ever stored there. All credit card information for TR subscriptions was and will continue to be handled solely by our payment processor, Stripe. When we offer to "save" your credit card information, we're simply saving a reference to the card in Stripe's database.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Gerbil Khan
Silver subscriber
 
 
Posts: 9999
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 10:07 am

This is why I use LastPass[1] to manage my passwords: each site gets its own long randomly-generated password which is never reused. Even if my login here got owned somehow that can't affect other sites.


[1] you can use another manager, naturally, this is just my preference.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3171
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 10:09 am

It's great that people are trying to help out, but announcing it in public just skyrockets the chances of it actually happening.
I do not understand what I do. For what I want to do, I do not do. But what I hate, I do.
derFunkenstein
Gerbil God
Gold subscriber
 
 
Posts: 21362
Joined: Fri Feb 21, 2003 9:13 pm
Location: WHAT?

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 10:10 am

It should also be noted that with ~66% of the Internet being potentially affected, there's no telling which other passwords everyone uses are vulnerable.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Gerbil Khan
Silver subscriber
 
 
Posts: 9999
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 10:58 am

derFunkenstein wrote:It's great that people are trying to help out, but announcing it in public just skyrockets the chances of it actually happening.


:roll: The bad guys know about this already.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3171
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 11:50 am

bthylafh wrote:
derFunkenstein wrote:It's great that people are trying to help out, but announcing it in public just skyrockets the chances of it actually happening.


:roll: The bad guys know about this already.


Posting in such a fashion is professionally rude and irresponsible.. it is the same as taking pictures of your neighbors wife nude in the backyard and posting it on every door in a 10 block radius with he statement "oh we might be able to see you".

http://en.wikipedia.org/wiki/Responsible_disclosure
Cybert said: Capitlization and periods are hard for you, aren't they? I've given over $100 to techforums. I should have you banned for my money.
maxxcool
Gerbil Elite
Silver subscriber
 
 
Posts: 650
Joined: Thu Sep 12, 2002 8:40 am
Location: %^&*%$$

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 1:18 pm

maxxcool wrote:Posting in such a fashion is professionally rude and irresponsible.. it is the same as taking pictures of your neighbors wife nude in the backyard and posting it on every door in a 10 block radius with he statement "oh we might be able to see you".

http://en.wikipedia.org/wiki/Responsible_disclosure


This isn't remotely the same situation. The OP did not disclose any private information. As well, this isn't a professional environment (you've proven this dozens of times yourself). Yes, I think the OP could have notified site admins in a better fashion. However, I don't think what the OP did is especially wrong (or harmful at all) and your example is ridiculous.
slowriot
Gerbil First Class
Gold subscriber
 
 
Posts: 157
Joined: Wed Apr 03, 2013 10:57 am

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 1:28 pm

slowriot wrote:This isn't remotely the same situation. The OP did not disclose any private information. As well, this isn't a professional environment (you've proven this dozens of times yourself). Yes, I think the OP could have notified site admins in a better fashion. However, I don't think what the OP did is especially wrong (or harmful at all) and your example is ridiculous.

I let Morphine/Bruno (the chief bit wrangler) know as soon as this thread was posted. He'd already been working on it and was installing updated packages (you do have to wait for your specific updated package to be available) as I posted. Total time between the OP and the announcement of the fix was under 1 hour and those who need to know had known well before the OP posted. I think it's time to let Morphine get some sleep.
Life is hard; but it's harder if you're stupid. Big Al.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20311
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 3:00 pm

IMO, OP should have updated the title of the thread and add a link to the announcement. Looks like he values his sleep more than morphine's.

/non-mod
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24440
Joined: Mon May 24, 2004 2:19 am

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 4:05 pm

slowriot wrote:
maxxcool wrote:Posting in such a fashion is professionally rude and irresponsible.. it is the same as taking pictures of your neighbors wife nude in the backyard and posting it on every door in a 10 block radius with he statement "oh we might be able to see you".

http://en.wikipedia.org/wiki/Responsible_disclosure


This isn't remotely the same situation. The OP did not disclose any private information. As well, this isn't a professional environment (you've proven this dozens of times yourself). Yes, I think the OP could have notified site admins in a better fashion. However, I don't think what the OP did is especially wrong (or harmful at all) and your example is ridiculous.


Rude and wrong 100%. And yes private information was put at risk in the act.

Side note: .. only dozens? Damn .. need to try harder..
Last edited by maxxcool on Tue Apr 08, 2014 4:09 pm, edited 1 time in total.
Cybert said: Capitlization and periods are hard for you, aren't they? I've given over $100 to techforums. I should have you banned for my money.
maxxcool
Gerbil Elite
Silver subscriber
 
 
Posts: 650
Joined: Thu Sep 12, 2002 8:40 am
Location: %^&*%$$

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 4:08 pm

Can one of the BP admins be so kind and edit the thread title to read "FIXED" or something like that? Don't want to give heart attacks to people, plus there's already an announcement floating in the forums.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Gerbil Khan
Silver subscriber
 
 
Posts: 9999
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: TechReport forum vulnerable to HeartBleed (FIXED)

Postposted on Tue Apr 08, 2014 4:11 pm

Got it.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37737
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: TechReport forum vulnerable to HeartBleed

Postposted on Tue Apr 08, 2014 6:30 pm

maxxcool wrote:Nice responsible disclosure... now anyone who can package a attack can take over the forums. way to go.... /slow clap/


Right... because clearly no hacker is going to suspect that a phpBB forum is vulnerable to the massive security flaw that's been all over the news...

I get what you're saying - in most cases, a security flaw ought to be mentioned to the admins more discreetly - but in this case, when it's hitting something like two-thirds of the internet, it's a safe bet that the folks who you're worried about already know ;)
cphite
Gerbil Elite
 
Posts: 558
Joined: Thu Apr 29, 2010 9:28 am


Return to The Back Porch

Who is online

Users browsing this forum: Yahoo [Bot] and 4 guests