Proj 13: Detecting the Heartbleed OpenSSL Vulnerability and Patching It (15 pts.)

What You Need

Making an HTTPS Server

Follow the instructions here to make your Kali Linux an HTTPS server:

http://samsclass.info/120/proj/p17-https.html

Checking OpenSSL Version

To test the version, in a Terminal window, excute this command:
openssl version
The version number appears, as shown below. If the version is 1.0.1, 1.0.1f, or 1.0.1 followed by any letter before g, your server is likely to be vulnerable.

Kali Linux uses a vulnerable version!

Get the Python Heartbleed Test Source Code

In a Terminal window, execute these commands:
cd

wget http://samsclass.info/120/proj/hb1.pyx

mv hb1.pyx hb1.py

Troubleshooting

Note that the name of the file is hb and the numeral one, not the letter L

In S214, sometimes it attempts to connect via IPv6 and the download fails. If that happens, force it to use IPv4 with this command:

wget -4 http://samsclass.info/120/proj/hb1.pyx

Test for the Heartbleed Vulnerability

cd

python hb1.py localhost

You should see the message "server is vulnerable!", as shown below.

Saving the Screen Image

Make sure the message "server is vulnerable!" is visible, as shown above.

Save a WHOLE DESKTOP CAPTURE with a filename of "Proj 13a from YOUR NAME".

Patching Your Server

Version 1.0.1g of OpenSSL is fixed. Unfortunately, Kali Linux hasn't updated their repositories to include it yet (as of 4-8-14).

So, as is often the case, you need to download the source and compile it yourself.

Downloading and Compiling OpenSSL 1.0.1g

In a Terminal window, execute these commands.

(The .configure command is needed to tell OpenSSL to install into the directory Kali expects it to be in.)

wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz

tar xzf openssl-1.0.1g.tar.gz

cd openssl-1.0.1g

./config --prefix=/usr --openssldir=/etc/ssl

make

It will take several minutes to compile, and many messages will scroll by.

Installing the New Version of OpenSSL

In a Terminal window, execute this command:
make install
Many pages of messages scroll by.

Restart Apache

In a Terminal window, execute this command:
service apache2 restart

Checking the OpenSSL Version

To test the version, in a Terminal window, execute this command:
openssl version
The version number is now 1.0.1g, which has reportedly been patched.

Test for the Heartbleed Vulnerability Again

In a Terminal window, execute these commands:
cd

python hb1.py localhost

Again, you see the message "server is vulnerable!"

The server should no longer be vulnerable, but it is! Very disconcerting.

At this point, I went to Twitter to ask for help, and got this helpful message:

That was correct! Note: you should be on Twitter!

Updating libssl-dev

This update is easier, because a Debian package exists. It won't install with apt-get, though, so we'll use dpkg.

Unfortunately, you can't update libssl-dev until you update libssl, so there are two packages required.

In a Terminal window, execute these commands. When two old-style DOS-looking boxes pop up, click OK

wget http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1g-4_i386.deb

dpkg -i libssl1.0.0_1.0.1g-3_i386.deb

wget http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl-dev_1.0.1g-4_i386.deb

dpkg -i libssl-dev_1.0.1g-3_i386.deb

Troubleshooting

If the wget commands don't work, it is likely that the version number has changed. Open a Web browser and go to this URL:

http://ftp.us.debian.org/debian/pool/main/o/openssl/

Look at the packages carefully and see what the new version number is. The most likely change is that the number before "_i386" has increased to 5 or 6.

Restart Apache

In a Terminal window, execute this command:
service apache2 restart

Test for the Heartbleed Vulnerability Again

In a Terminal window, execute these commands:
cd

python hb1.py localhost

Now you see the message saying "server likely not vulnerable", as shown below.

Saving the Screen Image

Make sure the message saying "server likely not vulnerable" is visible, as shown above.

Save a WHOLE DESKTOP CAPTURE with a filename of "Proj 13b from YOUR NAME".

Turning In Your Project

Email the image to cnit.120@gmail.com with a subject of "Project 13 from YOUR NAME".


Sources

http://pastebin.com/WmxzjkXJ

http://ubuntuforums.org/showthread.php?t=1672775

http://mariobrandt.de/archives/linux/upgrading-openssl-on-debian-6-squeeze-or-ubuntu-8-04-hardy-456/


Last modified: 5-20-14 9:40 am