В Fri, 11 Apr 2014 20:01:53 +0200 "Carlos E. R." <robin.listas@telefonica.net> пишет:
I know little of how the vulnerability works,
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
but apparently they trick the machine (client? server? both?)
Machine that is processing packet. It can be both.
to freely send a copy of 64 KB of RAM, which may contain anything. I don't clearly know if they can walk all memory, or just memory from the process that responds, or the memory assigned to the user of that process, or just one 64 KB block, where a particular buffer should have been assigned, but was not really assigned (ie, a non initialized pointer?). Or the block was assigned but not erased previous to been used.
It can read up to 64K starting from the memory location where incoming packet (which is being processed) is allocated. This is local memory belonging to process. There is no way to control *what* is read nor control memory location that is read; one can only make some guesses based on knowledge of a program being attacked and its allocation patterns. Good metaphor from another site: "but it's not [targeted attack]. It's more like panning for gold than robbing a bank.".
That RAM they get might contain data obtained from a different computer, so that the keys are on another computer, that's irrelevant. As long as the keys were retrieved and read on memory at some time, and they can read that memory block...
And the vulnerability can be used even without accreditation for that server.