[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-bugs
Subject: [Wireshark-bugs] [Bug 2626] X.224 dissector doesn't show all fields
From: bugzilla-daemon () wireshark ! org
Date: 2016-01-31 0:20:28
Message-ID: bug-2626-15-XAEogqBap5 () https ! bugs ! wireshark ! org/bugzilla/
[Download RAW message or body]
--1454199632.0Af2B1.2399
Date: Sun, 31 Jan 2016 00:20:32 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id&26
--- Comment #5 from Guy Harris <guy@alum.mit.edu> ---
MS-RDPBCGR, "Remote Desktop Protocol: Basic Connectivity and Graphics
Remoting", says, in section 2.2.1.1 "Client X.224 Connection Request PDU", that
the lengths of the routingToken, cookie, and rdpNegData fields are "included in
the X.224 Connection Request Length Indicator field".
X.224/ISO 8073, "Information Technology - Open Systems Interconnection -
Protocol for providing the connection mode transport service", says, in section
13.2 "Structure", that the Length Indicator field is the length of the COTP
header, so that indicates that the routingToken, cookie, and rdpNegData fields
are therefore *not* user data in the Connection Request PDU. However, that
means that, if these were *real* X.225 packets, they would be described by
section 13.2.3 "Variable part" - but that part consists of a bunch of TLVs
(similar to TCP options), and that's *not* what Microsoft are putting there.
I.e., Microsoft's not following the X.224/ISO 8073 COTP spec, and the dissector
will have to try to detect Microsoft's mutant "MS-COTP" and dissect it
differently. (Sadly, the COTP spec says that "No user data are permitted in
class 0" for the CR PDU, and they're using class 0, given that they're running
COTP atop an already-reliable-and-in-order transport protocol, namely TCP, so
they couldn't use the user data field without, again, not following the spec.)
They also stuff extra weird stuff in the Connection Confirm PDU, as per 2.2.1.2
"Server X.224 Connection Confirm PDU". (The CC PDU also can't have user data
in class 0.)
For the Connection Request PDU, MS-RDPBCGR seems to be saying (in effect) that
the fixed part of the CR PDU may be followed either by a routingToken field or
a cookie field and that one or the other, but not both, may be present.
Those fields are described as "variable" (length) but not as "optional" in the
packet diagram, but are described as "optional and variable" in the packet
description. That *might* mean that one of those must be present but the other
of those need not (and, in fact, *must* not) be present.
The routingToken field is claimed to be described by "[MSFT-SDLBTS] "Routing
Token Format""; "MS-SDLBTS" is an old document named "Session Directory and
Load Balancing Using Terminal Server" ("S D (and) L B (Using) T S"), which can
currently be found at
http://download.microsoft.com/download/5/B/C/5BC37A4E-6304-45AB-8C2D-AE712526E7F7/TS_Session_Directory.pdf
(thank you, Bing, for giving me a URL unadorned by Google's self-promoting
"here's the Google search from which you got that link" crap). It indicates
that:
The routing token format is case sensitive ASCII text, as follows:
Cookie: + SPACE + msts640205228.15629.0000 + CR + LF
MS-RDPBCGR says that a cookie field looks like:
Cookie: mstshash=IDENTIFIER
so *both* of those field types begin with "Cookie:".
*If* there must either be a routingToken or a cookie if there are any
parameters at all, then checking for "Cookie:" would be sufficient to determine
whether the packet is a valid X.224/ISO 8073 CR PDU, as "C", i.e. 0x43, is not
a valid optional parameter type code in a CR PDU.
If, however, neither of them need to be present, then the only other thing that
could be in the variable part would be an RDP Negotiation Request, as described
in section 2.2.1.1.1 of MS-RDPBCGR. That begins with an 0x01 byte, which
cannot ever be a valid X.224/ISO 8073 parameter type value (to quote section
13.2.3 "Variable part", "No parameter code uses bits 8 and 7 with the value
00.", so all codes have one or both of the 0x80 and 0x40 bits set).
For the Connection Conform PDU, MS-RDPBCGR says (in effect) that the fixed part
of the CR PDU may be followed by an "an optional RDP Negotiation Response
(section 2.2.1.2.1) structure or an optional RDP Negotiation Failure (section
2.2.1.2.2) structure". An RDP Negotiation Response begins with 0x02, and an
RDP Negotiation Failure begins with 0x03, and neither of those can ever be
valid X.224/ISO 8073 parameter type values (as per the above).
So fairly strong heuristics (which would be fooled only by packets with invalid
variable part parameters that either look like "Cookie" or have codes 0x01,
0x02, and 0x03) exist to detect Microsoft's non-standard COTP, and this reduces
to a Simple Matter of Programming.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
--1454199632.0Af2B1.2399
Date: Sun, 31 Jan 2016 00:20:32 +0000
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<base href="https://bugs.wireshark.org/bugzilla/" />
<style>
body, th, td {
font-size: 12px;
font-family: Arial, Helvetica, sans-serif; }
p, pre { margin-top: 1em; }
pre {
font-family: Bitstream Vera Sans Mono, Consolas, Lucida Console, \
monospace; white-space: pre-wrap;
}
table { border: 0; border-spacing: 0; border-collapse: collapse; }
th, td {
padding: 0.25em;
padding-left: 0.5em;
padding-right: 0.5em;
}
th { background: rgb(240, 240, 240); }
th.th_top { border-bottom: 1px solid rgb(116, 126, 147); }
th.th_left { border-right: 1px solid rgb(116, 126, 147); }
td.removed { background-color: #ffcccc; }
td.added { background-color: #e4ffc7; }
</style>
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_CONFIRMED "
title="CONFIRMED - X.224 dissector doesn't show all fields"
href="https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2626#c5">Comment # 5</a>
on <a class="bz_bug_link
bz_status_CONFIRMED "
title="CONFIRMED - X.224 dissector doesn't show all fields"
href="https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2626">bug 2626</a>
from <span class="vcard"><a class="email" \
href="mailto:guy@alum.mit.edu" title="Guy Harris <guy@alum.mit.edu>"> \
<span class="fn">Guy Harris</span></a> </span></b>
<pre>MS-RDPBCGR, "Remote Desktop Protocol: Basic Connectivity and \
Graphics Remoting", says, in section 2.2.1.1 "Client X.224 Connection \
Request PDU", that the lengths of the routingToken, cookie, and rdpNegData \
fields are "included in the X.224 Connection Request Length Indicator \
field".
X.224/ISO 8073, "Information Technology - Open Systems Interconnection -
Protocol for providing the connection mode transport service", says, in section
13.2 "Structure", that the Length Indicator field is the length of the COTP
header, so that indicates that the routingToken, cookie, and rdpNegData fields
are therefore *not* user data in the Connection Request PDU. However, that
means that, if these were *real* X.225 packets, they would be described by
section 13.2.3 "Variable part" - but that part consists of a bunch of TLVs
(similar to TCP options), and that's *not* what Microsoft are putting there.
I.e., Microsoft's not following the X.224/ISO 8073 COTP spec, and the dissector
will have to try to detect Microsoft's mutant "MS-COTP" and dissect it
differently. (Sadly, the COTP spec says that "No user data are permitted in
class 0" for the CR PDU, and they're using class 0, given that they're running
COTP atop an already-reliable-and-in-order transport protocol, namely TCP, so
they couldn't use the user data field without, again, not following the spec.)
They also stuff extra weird stuff in the Connection Confirm PDU, as per 2.2.1.2
"Server X.224 Connection Confirm PDU". (The CC PDU also can't have user \
data in class 0.)
For the Connection Request PDU, MS-RDPBCGR seems to be saying (in effect) that
the fixed part of the CR PDU may be followed either by a routingToken field or
a cookie field and that one or the other, but not both, may be present.
Those fields are described as "variable" (length) but not as \
"optional" in the packet diagram, but are described as "optional and \
variable" in the packet description. That *might* mean that one of those must \
be present but the other of those need not (and, in fact, *must* not) be present.
The routingToken field is claimed to be described by "[MSFT-SDLBTS] \
"Routing Token Format""; "MS-SDLBTS" is an old document \
named "Session Directory and Load Balancing Using Terminal Server" ("S \
D (and) L B (Using) T S"), which can currently be found at
<a href="http://download.microsoft.com/download/5/B/C/5BC37A4E-6304-45AB-8C2D-AE712526 \
E7F7/TS_Session_Directory.pdf">http://download.microsoft.com/download/5/B/C/5BC37A4E-6304-45AB-8C2D-AE712526E7F7/TS_Session_Directory.pdf</a>
(thank you, Bing, for giving me a URL unadorned by Google's self-promoting
"here's the Google search from which you got that link" crap). It \
indicates that:
The routing token format is case sensitive ASCII text, as follows:
Cookie: + SPACE + msts=3640205228.15629.0000 + CR + LF
MS-RDPBCGR says that a cookie field looks like:
Cookie: mstshash=IDENTIFIER
so *both* of those field types begin with "Cookie:".
*If* there must either be a routingToken or a cookie if there are any
parameters at all, then checking for "Cookie:" would be sufficient to \
determine whether the packet is a valid X.224/ISO 8073 CR PDU, as "C", i.e. \
0x43, is not a valid optional parameter type code in a CR PDU.
If, however, neither of them need to be present, then the only other thing that
could be in the variable part would be an RDP Negotiation Request, as described
in section 2.2.1.1.1 of MS-RDPBCGR. That begins with an 0x01 byte, which
cannot ever be a valid X.224/ISO 8073 parameter type value (to quote section
13.2.3 "Variable part", "No parameter code uses bits 8 and 7 with the \
value 00.", so all codes have one or both of the 0x80 and 0x40 bits set).
For the Connection Conform PDU, MS-RDPBCGR says (in effect) that the fixed part
of the CR PDU may be followed by an "an optional RDP Negotiation Response
(section 2.2.1.2.1) structure or an optional RDP Negotiation Failure (section
2.2.1.2.2) structure". An RDP Negotiation Response begins with 0x02, and an
RDP Negotiation Failure begins with 0x03, and neither of those can ever be
valid X.224/ISO 8073 parameter type values (as per the above).
So fairly strong heuristics (which would be fooled only by packets with invalid
variable part parameters that either look like "Cookie" or have codes 0x01,
0x02, and 0x03) exist to detect Microsoft's non-standard COTP, and this reduces
to a Simple Matter of Programming.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>
--1454199632.0Af2B1.2399--
___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic