Making Heartbleed Lab work for Ubuntu 20.04 #2
Comments
kevin-w-du
added
enhancement
|
I'm not able to download the 2004 VM. Do I have a wrong link?
|
|
Sorry, I updated the image. Here is the new link: https://seed.nyc3.cdn.digitaloceanspaces.com/SEED-Ubuntu20.04.zip |
|
I've built one here https://github.com/LuminousXLB/heartbleed-docker Here's an overview of the sizes of the containers The size of the server container might be able to shrink by staged build, but I would prefer to do something else :) |
|
Thanks. This is great. I will give it a test on my machine and then try to merge it into one of the SEED container image, so the cached layers from other labs can be reused for this lab. Really appreciate your efforts. |
|
There's something to be noticed. But this may also not bother since we'll disable certificate verification when sending requests. |
|
I tried it. It does work, but I couldn't get anything useful from the returned data. In the original Heartbleed lab, we are able to get the admin's password from the server (if we try enough times). I saw that in the setup, the client keeps talking to the server. If the attacker can get some of the client data back from the server, that will be great. I didn't get anything useful. The lab will be more interesting if we can get useful data via the attack. |
|
That's really a problem. |
|
We have already tried everything that you have mentioned, without a success. The SSL part is done inside Apache, not in PHP or Elgg. Unfortunately, Apache comes with its own built-in SSL library, compiling it with the older version of OpenSSL or use an older Apache on the new OS is a difficult (we haven't had any success so far). With your efforts, we are getting closer to our goal. Hopefully somebody else could build on top of your work and carry it to the next level. It just a matter of time. Thanks. |
|
Hey guys.. just monitoring this.. so you've made containers that use/rely on older distro bases.. with vulnerable libraries? Have you tried pulling the source ofr those older (unsupported) OpenSSL packages and manunally creating your CSR/CRT with the -x509 -days 5000 option?.. (creating the CSR and CRT in one movement). Thread on this here: I think doing this and keeping it all packages within a container is a great plan, if possible. I have some x509/cert/docker guru friends from Rackspace I can also sick on this issue. Lemme know if interested. |
|
We will do this for sure. We actually have a lab (PKI Lab) that does this, so it should be pretty easy to set up the certificate like this. There is no need to do it right now, because we haven't figured out how to solve the problem I listed above. Once we have resolved that problem, we will definitely do what you have suggested. |
|
Super.. ping me when ready to let me know exactly what you still need. |
Right now, the Heartbleed lab can only be conducted on our Ubuntu 12.04, because the versions of the OpenSSL in newer Ubuntu OSes have already fixed the problem. I really want to port this lab to our newest VM, Ubuntu 20.04. In theory this should be doable, because all we need to do is to install the older OpenSSL library, which is quite easy to do. However, we haven't succeeded yet in making this lab work for Ubuntu 16.04. Since we will soon migrate all our labs to Ubuntu 20.04, we will directly do it in 20.04. Help is needed to make this work. I added some details in the
TODO.mdfile inside the Heartbleed lab folder.The text was updated successfully, but these errors were encountered: