lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CADvmU8x1wwzBpcAV0VDU-oaw3MR_F=npEa1mD6HUqBtag5C5ZQ@mail.gmail.com>
Date: Thu, 10 Apr 2014 08:39:31 +0200
From: Txalin <txalin@...il.com>
To: craig@...eaunetworks.com
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

> How realistic is it that an attacker would be able to glean passwords
through
> this vulnerability?

Checked by myself yesterday in some websites with login/pass form in (sites
from my company, don't blame me). I took less than 2 minutes to get 3
user/password combinations, so, easy as hell.

PD: First message in FD, hi all!!!


2014-04-10 0:32 GMT+02:00 Craig Holmes <craig@...eaunetworks.com>:

> On April 8, 2014 10:21:34 AM Matthew Musingo wrote:
> > Even if your systems were patched  an attacker could have already
> attained
> > the secrets.
> >
> > Certs and other sensitive information need to be reconsidered for
> > replacement or changed
> How realistic is it that an attacker would be able to glean passwords
> through
> this vulnerability? Programatically searching through 64k memory dumps for
> certificates seems plausible, but looking for passwords does not. A
> password is
> of no pre-determined length or format. So unless you know what strings are
> wrapped around it (and those strings are reliably presented), isn't the
> loss
> of some types of sensitive information.... unlikely?
>
> Cheers.
> Craig
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ