Twitter | Search | |
Neel Mehta 8 Apr 14
Heap allocation patterns make private key exposure unlikely for .
Reply Retweet Like
Tomas Rzepka
We can extract the private key successfully on FreeBSD after restarting apache and making the first request with ssltest.py
Reply Retweet Like More
Tomas Rzepka 9 Apr 14
Replying to @neelmehta @tqbf @_miw
Reply Retweet Like
stokedsecurity 9 Apr 14
probably only worked with first request to server, right?
Reply Retweet Like
Mako 9 Apr 14
Replying to @thegrugq @1njected
Cool! I've recovered it from Apache on Gentoo as a bare prime factor in binary, but your demo's a lot clearer.
Reply Retweet Like
Tomas Rzepka 9 Apr 14
Replying to @makomk @thegrugq
Cool, do need to restart apache or just send enough requests?
Reply Retweet Like
Ryan Barnett 9 Apr 14
attackers just need to send payloads at midnight when most sites run daily log rollover/restart scripts.
Reply Retweet Like
Tomas Rzepka 9 Apr 14
Yes, or if your lucky, find a DOS-vuln and wait for admin to restart.
Reply Retweet Like