How to install a vulnerable version of OpenSSL on a Linux server?
I'd like to compile and install a Heartbleed-vulnerable OpenSSL version on a server I'm setting up for a team web security challenge (since these are not available for install from Ubuntu's repository for obvious reasons).
I downloaded and compiled from source OpenSSL 1.0.1f using the provided instructions (run ./config
, then make
and make install
), and tried to run the openly available Heartbleed POC from GitHub from my PC, however the script is notfying me that no heartbeat response has been received and the server is likely not vulnerable.
Running openssl version
produces the following output: OpenSSL 1.0.1f 6 Jan 2014. I installed an SSL certificate of course and SSL access works on the server.
OpenSSL is installed to work with Apache 2.4.7.
Can anyone help?
Solution 1:
There are two things that may be going on here:
A simple "./configure; make; make install" will by default place the shared libraries in
/usr/local/lib
. The system-installed libraries, however, will be in/usr/lib
, which comes earlier in the library search path. Unless you remove the system-installed version of OpenSSL, the vulnerable version won't be found.Even if you are over-writing the system libraries, the change won't be picked up until you restart Apache. Deleted files remain accessible (and take up space on disk) until all programs that have open filehandles to them close those filehandles.
Solution 2:
What server software is being used?
Despite the OpenSSL binary being vulnerable, an installed web server from an OS package is likely to be using a library version that is not vulnerable.
The simplest way to get a vulnerable listener running will be openssl s_server
- if you need a full web server to be vulnerable, you'll likely need to compile against the vulnerable OpenSSL.