eidolonFIRE Posted April 23, 2014 Member ID: 2759 Group: **- Inactive Registered Users Followers: 17 Topic Count: 199 Topics Per Day: 0.04 Content Count: 3496 Content Per Day: 0.76 Reputation: 3021 Achievement Points: 26464 Solved Content: 0 Days Won: 3 Joined: 08/22/11 Status: Offline Last Seen: June 16, 2017 Birthday: 07/27/1990 Share Posted April 23, 2014 I found this to be really interesting and informative. It's a good lesson on a common mistake to avoid when writing in a language that you manually manage memory allocation. All you coders should get this right away. It's pretty clear how the bug works. (it also makes sense now how it got it's name) azzkikr 1 Link to comment Share on other sites More sharing options...
Merlin007 Posted April 23, 2014 Member ID: 2068 Group: +++ COD5 Head Admin Followers: 69 Topic Count: 1071 Topics Per Day: 0.22 Content Count: 8419 Content Per Day: 1.73 Reputation: 7280 Achievement Points: 74795 Solved Content: 0 Days Won: 64 Joined: 12/25/10 Status: Offline Last Seen: 6 hours ago Birthday: 05/23/1973 Device: Android Share Posted April 23, 2014 Yes, interesting. Read some stuff on the bug a little while ago. Same deal, all about the memory dump during the heartbeat request. Pretty crafty to pick up on that and be able to exploit it. Link to comment Share on other sites More sharing options... Awards
eidolonFIRE Posted April 23, 2014 Member ID: 2759 Group: **- Inactive Registered Users Followers: 17 Topic Count: 199 Topics Per Day: 0.04 Content Count: 3496 Content Per Day: 0.76 Reputation: 3021 Achievement Points: 26464 Solved Content: 0 Days Won: 3 Joined: 08/22/11 Status: Offline Last Seen: June 16, 2017 Birthday: 07/27/1990 Author Share Posted April 23, 2014 Yes, interesting. Read some stuff on the bug a little while ago. Same deal, all about the memory dump during the heartbeat request. Pretty crafty to pick up on that and be able to exploit it. meh... it's not that crazy actually. Any trained C/C++ coder shouldn't have left that loophole there. They know better than to do that when malloc'ing. Whoever wrote the code was prolly just going fast and was careless. Link to comment Share on other sites More sharing options...
Merlin007 Posted April 24, 2014 Member ID: 2068 Group: +++ COD5 Head Admin Followers: 69 Topic Count: 1071 Topics Per Day: 0.22 Content Count: 8419 Content Per Day: 1.73 Reputation: 7280 Achievement Points: 74795 Solved Content: 0 Days Won: 64 Joined: 12/25/10 Status: Offline Last Seen: 6 hours ago Birthday: 05/23/1973 Device: Android Share Posted April 24, 2014 The heartbeat code was originally written by a German volunteer. The code was written as an improvement to openssl and submitted to one of the core guys, one of a small handful of volunteers, who look after the openssl releases. Well, these guys also reviewed the code and what we know as an error now, was overlooked. The new code was subsequently added to the release and the rest is today's news. Just goes to show, even the most diligent programmers can miss something unfortunately this little error caused a huge hole in the software. Even more, this 'bug' has been around for a couple of years already when the version of openssl was released with this heartbeat code. eidolonFIRE 1 Link to comment Share on other sites More sharing options... Awards
eidolonFIRE Posted April 24, 2014 Member ID: 2759 Group: **- Inactive Registered Users Followers: 17 Topic Count: 199 Topics Per Day: 0.04 Content Count: 3496 Content Per Day: 0.76 Reputation: 3021 Achievement Points: 26464 Solved Content: 0 Days Won: 3 Joined: 08/22/11 Status: Offline Last Seen: June 16, 2017 Birthday: 07/27/1990 Author Share Posted April 24, 2014 The heartbeat code was originally written by a German volunteer. The code was written as an improvement to openssl and submitted to one of the core guys, one of a small handful of volunteers, who look after the openssl releases. Well, these guys also reviewed the code and what we know as an error now, was overlooked. The new code was subsequently added to the release and the rest is today's news. Just goes to show, even the most diligent programmers can miss something unfortunately this little error caused a huge hole in the software. Even more, this 'bug' has been around for a couple of years already when the version of openssl was released with this heartbeat code. pretty crazy... just imagine if it was put there on purpose. They've had a back door into 60% of the internet for years! Link to comment Share on other sites More sharing options...
Recommended Posts