Personal computing discussed

Moderators: Captain Ned, emkubed

 
owmcyehs
Gerbil In Training
Topic Author
Posts: 3
Joined: Tue Apr 08, 2014 8:43 am

TechReport forum vulnerable to HeartBleed (FIXED)

Tue Apr 08, 2014 8:49 am

The TechReport forum is vulnerable to HeartBleed!

Assume your password here is compromised. If you have the same password elsewhere change it!

If anyone can get a TechReport admins attention, please alert them - they have a vulnerable openSSL implementation which leeks data from server memory. (HeartBleed bug. CVE-2014-0160)
 
owmcyehs
Gerbil In Training
Topic Author
Posts: 3
Joined: Tue Apr 08, 2014 8:43 am

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 8:55 am

I see https://techreport.com/ is also used for subscription payments and accounts. This server is vulnerable. Please patch ASAP.
 
bthylafh
Grand Gerbil Poohbah
Posts: 3822
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 9:07 am

I'm not an SSL expert, but this appears to be legit:

https://blog.ipredator.se/2014/04/how-t ... leeds.html

My results when running the command:
HEARTBEATING
write to 0x1df0a70 [0x1dfa5a3] (85 bytes => 85 (0x55))
0000 - 18 03 02 00 50 e9 dc 8d-92 98 ad 4d 73 85 f4 cf   ....P......Ms...
0010 - a1 98 9f 62 7e 48 75 c1-6a ff 8b 81 f9 1c 07 a5   ...b~Hu.j.......
0020 - 8e 37 d7 cf 85 f9 45 d2-db 3d cd cd 11 51 3b 44   .7....E..=...Q;D
0030 - fc 09 d6 80 5c eb f3 18-ca 0d 51 0b 40 bb 0a 95   ....\.....Q.@...
0040 - a2 ae 4c c2 3e ae 29 22-f5 a2 df 4f d5 18 0f 71   ..L.>.)"...O...q
0050 - 56 d2 81 29 08                                    V..).
read from 0x1df0a70 [0x1df6053] (5 bytes => 5 (0x5))
0000 - 18 03 02 00 50                                    ....P
read from 0x1df0a70 [0x1df6058] (80 bytes => 80 (0x50))
0000 - 8e c4 b2 72 4d 3a 39 ca-ab 83 02 c4 1a 6f dc 10   ...rM:9......o..
0010 - 5d eb 31 77 a6 fa cd 54-27 42 b6 51 9d 1a 3f 57   ].1w...T'B.Q..?W
0020 - e9 0f 6b 2f 28 08 9f b5-0d 9c 49 e9 50 9a 28 67   ..k/(.....I.P.(g
0030 - 70 9a f4 6b a4 46 cf ab-3e 8c 5f c0 b1 50 72 a6   p..k.F..>._..Pr.
0040 - d7 28 92 05 96 ba 27 ee-d4 b6 64 7e d3 17 c2 64   .(....'...d~...d
read R BLOCK


From my limited understanding, a non-vulnerable host wouldn't have sent a "read from" response.
Hakkaa päälle!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|SanDisk Ultra II 480GB|1988 Model M|Saitek X-45|Logitech MX 518 & F310|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
 
owmcyehs
Gerbil In Training
Topic Author
Posts: 3
Joined: Tue Apr 08, 2014 8:43 am

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 9:18 am

bthylafh wrote:
I'm not an SSL expert, but this appears to be legit:

https://blog.ipredator.se/2014/04/how-t ... leeds.html

My results when running the command:
HEARTBEATING
write to 0x1df0a70 [0x1dfa5a3] (85 bytes => 85 (0x55))
0000 - 18 03 02 00 50 e9 dc 8d-92 98 ad 4d 73 85 f4 cf   ....P......Ms...
0010 - a1 98 9f 62 7e 48 75 c1-6a ff 8b 81 f9 1c 07 a5   ...b~Hu.j.......
0020 - 8e 37 d7 cf 85 f9 45 d2-db 3d cd cd 11 51 3b 44   .7....E..=...Q;D
0030 - fc 09 d6 80 5c eb f3 18-ca 0d 51 0b 40 bb 0a 95   ....\.....Q.@...
0040 - a2 ae 4c c2 3e ae 29 22-f5 a2 df 4f d5 18 0f 71   ..L.>.)"...O...q
0050 - 56 d2 81 29 08                                    V..).
read from 0x1df0a70 [0x1df6053] (5 bytes => 5 (0x5))
0000 - 18 03 02 00 50                                    ....P
read from 0x1df0a70 [0x1df6058] (80 bytes => 80 (0x50))
0000 - 8e c4 b2 72 4d 3a 39 ca-ab 83 02 c4 1a 6f dc 10   ...rM:9......o..
0010 - 5d eb 31 77 a6 fa cd 54-27 42 b6 51 9d 1a 3f 57   ].1w...T'B.Q..?W
0020 - e9 0f 6b 2f 28 08 9f b5-0d 9c 49 e9 50 9a 28 67   ..k/(.....I.P.(g
0030 - 70 9a f4 6b a4 46 cf ab-3e 8c 5f c0 b1 50 72 a6   p..k.F..>._..Pr.
0040 - d7 28 92 05 96 ba 27 ee-d4 b6 64 7e d3 17 c2 64   .(....'...d~...d
read R BLOCK


From my limited understanding, a non-vulnerable host wouldn't have sent a "read from" response.


Yes. The data comes from the address space of the process using openSSL. This is often Apache.
So what leaks is whatever Apache is working on - including requests from other users with private cookies and maybe login details. Also possible to leak the private key details from openSSL.
 
anotherengineer
Graphmaster Gerbil
Posts: 1460
Joined: Fri Sep 25, 2009 1:53 pm
Location: Northern, ON Canada, Yes I know, Up in the sticks

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 9:38 am

You sure it's not an NSA requirement ;)
Life doesn't change after marriage, it changes after children!
 
maxxcool
Silver subscriber
Gerbil Elite
Posts: 850
Joined: Thu Sep 12, 2002 8:40 am
Location: %^&*%$$
Contact:

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 9:40 am

Nice responsible disclosure... now anyone who can package a attack can take over the forums. way to go.... /slow clap/
Cybert said: Capitlization and periods are hard for you, aren't they? I've given over $100 to techforums. I should have you banned for my money.
 
morphine
Gold subscriber
Gerbilus Supremus
Posts: 11331
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 9:45 am

We've released a statement on this issue here on the frontpage.

Copy/pasting the relevant text:

Tech Report wrote:
We've updated the version of OpenSSL running on TR to address the problem. According to the Heartbleed test, we are no longer vulnerable.

However, if you have an account here, we strongly recommend updating your password. We cannot guarantee that some user passwords haven't been sniffed. If you use the same password on another site, it may be a good idea to change it there, too—so long as that other site doesn't fail the Heartbleed test.

Credit card information for subscribers was not compromised. That information never traveled through our servers, nor was it ever stored there. All credit card information for TR subscriptions was and will continue to be handled solely by our payment processor, Stripe. When we offer to "save" your credit card information, we're simply saving a reference to the card in Stripe's database.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
bthylafh
Grand Gerbil Poohbah
Posts: 3822
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 10:07 am

This is why I use LastPass[1] to manage my passwords: each site gets its own long randomly-generated password which is never reused. Even if my login here got owned somehow that can't affect other sites.


[1] you can use another manager, naturally, this is just my preference.
Hakkaa päälle!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|SanDisk Ultra II 480GB|1988 Model M|Saitek X-45|Logitech MX 518 & F310|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
 
derFunkenstein
Gold subscriber
Gerbil God
Posts: 23405
Joined: Fri Feb 21, 2003 9:13 pm
Location: Comin' to you directly from the Mothership

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 10:09 am

It's great that people are trying to help out, but announcing it in public just skyrockets the chances of it actually happening.
"And and if you start to bleed, stop wiping." -whm1974
 
morphine
Gold subscriber
Gerbilus Supremus
Posts: 11331
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 10:10 am

It should also be noted that with ~66% of the Internet being potentially affected, there's no telling which other passwords everyone uses are vulnerable.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
bthylafh
Grand Gerbil Poohbah
Posts: 3822
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 10:58 am

derFunkenstein wrote:
It's great that people are trying to help out, but announcing it in public just skyrockets the chances of it actually happening.


:roll: The bad guys know about this already.
Hakkaa päälle!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|SanDisk Ultra II 480GB|1988 Model M|Saitek X-45|Logitech MX 518 & F310|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
 
maxxcool
Silver subscriber
Gerbil Elite
Posts: 850
Joined: Thu Sep 12, 2002 8:40 am
Location: %^&*%$$
Contact:

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 11:50 am

bthylafh wrote:
derFunkenstein wrote:
It's great that people are trying to help out, but announcing it in public just skyrockets the chances of it actually happening.


:roll: The bad guys know about this already.


Posting in such a fashion is professionally rude and irresponsible.. it is the same as taking pictures of your neighbors wife nude in the backyard and posting it on every door in a 10 block radius with he statement "oh we might be able to see you".

http://en.wikipedia.org/wiki/Responsible_disclosure
Cybert said: Capitlization and periods are hard for you, aren't they? I've given over $100 to techforums. I should have you banned for my money.
 
slowriot
Gerbil XP
Posts: 388
Joined: Wed Apr 03, 2013 10:57 am

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 1:18 pm

maxxcool wrote:
Posting in such a fashion is professionally rude and irresponsible.. it is the same as taking pictures of your neighbors wife nude in the backyard and posting it on every door in a 10 block radius with he statement "oh we might be able to see you".

http://en.wikipedia.org/wiki/Responsible_disclosure


This isn't remotely the same situation. The OP did not disclose any private information. As well, this isn't a professional environment (you've proven this dozens of times yourself). Yes, I think the OP could have notified site admins in a better fashion. However, I don't think what the OP did is especially wrong (or harmful at all) and your example is ridiculous.
 
Captain Ned
Gold subscriber
Global Moderator
Posts: 25968
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 1:28 pm

slowriot wrote:
This isn't remotely the same situation. The OP did not disclose any private information. As well, this isn't a professional environment (you've proven this dozens of times yourself). Yes, I think the OP could have notified site admins in a better fashion. However, I don't think what the OP did is especially wrong (or harmful at all) and your example is ridiculous.

I let Morphine/Bruno (the chief bit wrangler) know as soon as this thread was posted. He'd already been working on it and was installing updated packages (you do have to wait for your specific updated package to be available) as I posted. Total time between the OP and the announcement of the fix was under 1 hour and those who need to know had known well before the OP posted. I think it's time to let Morphine get some sleep.
If the Earth were flat, cats would have pushed everything off of it by now.
 
Flying Fox
Gerbil God
Posts: 25366
Joined: Mon May 24, 2004 2:19 am
Contact:

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 3:00 pm

IMO, OP should have updated the title of the thread and add a link to the announcement. Looks like he values his sleep more than morphine's.

/non-mod
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
 
maxxcool
Silver subscriber
Gerbil Elite
Posts: 850
Joined: Thu Sep 12, 2002 8:40 am
Location: %^&*%$$
Contact:

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 4:05 pm

slowriot wrote:
maxxcool wrote:
Posting in such a fashion is professionally rude and irresponsible.. it is the same as taking pictures of your neighbors wife nude in the backyard and posting it on every door in a 10 block radius with he statement "oh we might be able to see you".

http://en.wikipedia.org/wiki/Responsible_disclosure


This isn't remotely the same situation. The OP did not disclose any private information. As well, this isn't a professional environment (you've proven this dozens of times yourself). Yes, I think the OP could have notified site admins in a better fashion. However, I don't think what the OP did is especially wrong (or harmful at all) and your example is ridiculous.


Rude and wrong 100%. And yes private information was put at risk in the act.

Side note: .. only dozens? Damn .. need to try harder..
Last edited by maxxcool on Tue Apr 08, 2014 4:09 pm, edited 1 time in total.
Cybert said: Capitlization and periods are hard for you, aren't they? I've given over $100 to techforums. I should have you banned for my money.
 
morphine
Gold subscriber
Gerbilus Supremus
Posts: 11331
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 4:08 pm

Can one of the BP admins be so kind and edit the thread title to read "FIXED" or something like that? Don't want to give heart attacks to people, plus there's already an announcement floating in the forums.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
just brew it!
Gold subscriber
Administrator
Posts: 48269
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: TechReport forum vulnerable to HeartBleed (FIXED)

Tue Apr 08, 2014 4:11 pm

Got it.
If the world isn't making sense to you, you're either drinking too much or not drinking enough.
 
cphite
Gerbil Elite
Posts: 874
Joined: Thu Apr 29, 2010 9:28 am

Re: TechReport forum vulnerable to HeartBleed

Tue Apr 08, 2014 6:30 pm

maxxcool wrote:
Nice responsible disclosure... now anyone who can package a attack can take over the forums. way to go.... /slow clap/


Right... because clearly no hacker is going to suspect that a phpBB forum is vulnerable to the massive security flaw that's been all over the news...

I get what you're saying - in most cases, a security flaw ought to be mentioned to the admins more discreetly - but in this case, when it's hitting something like two-thirds of the internet, it's a safe bet that the folks who you're worried about already know ;)

Who is online

Users browsing this forum: derFunkenstein, paulWTAMU and 3 guests