Thursday, 10 April 2014

HeartBleed test script

Hopefully we all have seen the news about the Heartbleed vulnerability. There are some testing scripts out there that provide you the capability the check if a site is vulnerable to the attack. But what if you are an administrator and you want to make sure that your services are not using an openssl lib that is vulnerable? Maybe a library that came with the software instead of the system one? Well... queue the trumpets :P

Here is a quick script that will find if you are using 1.0.1 versions (except g) of OpenSSL. Feel free to steal it and make it your own :) (sharing is caring)

#!/bin/bash
# make a buffer file
tempfile=`mktemp -p /tmp heartbleedtester.XXXXXXXXXX`

# get the PIDs
for pid in $(grep -l 'libssl' /proc/*/maps | tr -cd 0-9\\n | xargs -r ps | grep -v "PID TTY" | awk '{print $1}'); do
        # look for libssl on each proc, sort uniq them too
        for file in $(grep libssl /proc/$pid/maps | awk '{print $6}' | sort -u ); do
                # in each proc file matching libssl look for strings of 1.0.1 and not 1.0.1g
                for result in $(strings $file | grep 1.0.1 | grep -v 1.0.1g); do
                        output=`echo $?`
                        # if there is output (=0) then count it
                        if [ $output = 0 ]; then
                                procname=`ps ax | grep -v grep | grep $pid | awk '{print $5 $6 $7}'`
                                echo "Process $procname (PID:$pid) is using a vulnerable version of OpenSSL ($file)" >> $tempfile
                        fi
                done
        done
done
# spit out the output
cat $tempfile | sort -u
rm -f $tempfile


Enjoy :)

No comments:

Post a Comment