On 11 Apr 2014, at 09:37, Richard Conto <r...@umich.edu> wrote:
> I thought that HeartBleed allowed reading only of up to 64K (unsigned 16 bit
> length) of heap memory - from wherever in the heap the buffer used was
> allocated. It didn't allow arbitrary process memory exploitation, although I
> suppose by manipulating the size of the requests, you ought to be able to
> explore different parts of the heap.
>
> Of course, luck would play a part in what was revealed, although luck can be
> manipulated.
Here's a nice piece of work which would allow one to example what was actually
returned from cosignd or httpd:
https://github.com/noxxi/p5-scripts/blob/master/check-ssl-heartbleed.pl
Adding support for cosign's protocol would be trivial.
:wes
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
