[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-bugs
Subject: [Wireshark-bugs] [Bug 16301] New: SPNEGO+GSS-API+Kerberos+ap-options dissection produces "Unknown Bi
From: bugzilla-daemon () wireshark ! org
Date: 2019-12-30 21:54:02
Message-ID: bug-16301-15 () https ! bugs ! wireshark ! org/bugzilla/
[Download RAW message or body]
--15777428431.BfEFC0.20707
Date: Mon, 30 Dec 2019 21:54:03 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.wireshark.org/bugzilla/
Auto-Submitted: auto-generated
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16301
Bug ID: 16301
Summary: SPNEGO+GSS-API+Kerberos+ap-options dissection produces
"Unknown Bit(s)" expert message
Product: Wireshark
Version: 3.2.0
Hardware: x86
OS: macOS 10.14
Status: UNCONFIRMED
Severity: Normal
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-admin@wireshark.org
Reporter: jsbarber60@gmail.com
Target Milestone: ---
Created attachment 17547
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17547&action=edit
Snippet of capture demonstrating Kerberos ap-options dissection issue
Build Information:
TShark (Wireshark) 3.2.0 (v3.2.0-0-ge0ed4cfa3d72)
Copyright 1998-2019 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, without POSIX capabilities, with GLib 2.37.6,
with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with
GnuTLS 3.4.17, with Gcrypt 1.7.7, with MIT Kerberos, with MaxMind DB resolver,
with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with Snappy, with
libxml2 2.9.9.
Running on Mac OS X 10.14.5, build 18F203 (Darwin 18.6.0), with Intel(R)
Core(TM) i7-8850H CPU @ 2.60GHz (with SSE4.2), with 16384 MB of physical
memory,
with locale en_US.UTF-8, with libpcap version 1.8.1 -- Apple version 79.250.1,
with GnuTLS 3.4.17, with Gcrypt 1.7.7, with brotli 1.0.7, with zlib 1.2.11,
binary plugins supported (0 loaded).
Built using clang 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.16).
--
Many apparently well-formed DCE-RPC and LDAP packets containing this field are
producing the expert message "(Warning/Undecoded): Unknown bit(s): 0x000000" as
shown below. The issue is new since 3.0.3 at least. It appears on
built-from-3.2.0tag-source linux version as well as official 3.2.0 MacOS binary
release.
The issue is in epan/dissectors/packet-kerberos.c where APOptions_bits is being
passed to dissect_ber_bitstring. It's objecting to a four-byte field being
passed to the bitstring dissector but with only three bits defined. However, I
don't understand enough about the context to suggest a fix.
Pcap demonstrating the issue is attached. See frame #5.
The tshark -V dissection for this example shows:
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind,
Fragment: Single, FragLen: 1841, Call: 65
Version: 5
Version (minor): 0
Packet type: Bind (11)
Packet Flags: 0x03
[snip]
Auth Info: SPNEGO, Connect, AuthContextId(0)
Auth type: SPNEGO (9)
Auth level: Connect (2)
Auth pad len: 0
Auth Rsrvd: 0
Auth Context ID: 0
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
Simple Protected Negotiation
negTokenInit
mechTypes: 4 items
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft
Kerberos 5)
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
MechType: 1.3.6.1.4.1.311.2.2.30 (NEGOEX - SPNEGO
Extended Negotiation Security Mechanism)
MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft
NTLM Security Support Provider)
mechToken:
6e8206633082065fa003020105a10302010ea20703050020…
krb5_blob:
6e8206633082065fa003020105a10302010ea20703050020…
Kerberos
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options: 20000000
0... .... = reserved: False
.0.. .... = use-session-key: False
..1. .... = mutual-required: True
*** => [Expert Info (Warning/Undecoded): Unknown
bit(s): 0x000000]
*** => [Unknown bit(s): 0x000000]
*** => [Severity level: Warning]
*** => [Group: Undecoded]
ticket
[...]
In previous versions, the dissection was:
[...]
ap-options: 20000000 (mutual-required)
0... .... = reserved: False
.0.. .... = use-session-key: False
..1. .... = mutual-required: True
ticket
--
You are receiving this mail because:
You are watching all bug changes.
--15777428431.BfEFC0.20707
Date: Mon, 30 Dec 2019 21:54:03 +0000
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.wireshark.org/bugzilla/
Auto-Submitted: auto-generated
<html>
<head>
<base href="https://bugs.wireshark.org/bugzilla/" />
<style>
body, th, td {
font-size: 12px;
font-family: Arial, Helvetica, sans-serif; }
p, pre { margin-top: 1em; }
pre {
font-family: Bitstream Vera Sans Mono, Consolas, Lucida Console, \
monospace; white-space: pre-wrap;
}
table { border: 0; border-spacing: 0; border-collapse: collapse; }
th, td {
padding: 0.25em;
padding-left: 0.5em;
padding-right: 0.5em;
}
th { background: rgb(240, 240, 240); }
th.th_top { border-bottom: 1px solid rgb(116, 126, 147); }
th.th_left { border-right: 1px solid rgb(116, 126, 147); }
td.removed { background-color: #ffcccc; }
td.added { background-color: #e4ffc7; }
</style>
</head>
<body><table>
<tr>
<th class="th_left">Bug ID</th>
<td><a class="bz_bug_link
bz_status_UNCONFIRMED "
title="UNCONFIRMED - SPNEGO+GSS-API+Kerberos+ap-options dissection produces \
"Unknown Bit(s)" expert message" \
href="https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16301">16301</a> </td>
</tr>
<tr>
<th class="th_left">Summary</th>
<td>SPNEGO+GSS-API+Kerberos+ap-options dissection produces "Unknown \
Bit(s)" expert message </td>
</tr>
<tr>
<th class="th_left">Product</th>
<td>Wireshark
</td>
</tr>
<tr>
<th class="th_left">Version</th>
<td>3.2.0
</td>
</tr>
<tr>
<th class="th_left">Hardware</th>
<td>x86
</td>
</tr>
<tr>
<th class="th_left">OS</th>
<td>macOS 10.14
</td>
</tr>
<tr>
<th class="th_left">Status</th>
<td>UNCONFIRMED
</td>
</tr>
<tr>
<th class="th_left">Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th class="th_left">Priority</th>
<td>Low
</td>
</tr>
<tr>
<th class="th_left">Component</th>
<td>Dissection engine (libwireshark)
</td>
</tr>
<tr>
<th class="th_left">Assignee</th>
<td>bugzilla-admin@wireshark.org
</td>
</tr>
<tr>
<th class="th_left">Reporter</th>
<td>jsbarber60@gmail.com
</td>
</tr>
<tr>
<th class="th_left">Target Milestone</th>
<td>---
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=17547" \
name="attach_17547" title="Snippet of capture demonstrating Kerberos ap-options \
dissection issue">attachment 17547</a> <a \
href="attachment.cgi?id=17547&action=edit" title="Snippet of capture \
demonstrating Kerberos ap-options dissection issue">[details]</a></span> Snippet of \
capture demonstrating Kerberos ap-options dissection issue
Build Information:
TShark (Wireshark) 3.2.0 (<a \
href="https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e0ed4cfa3d72">v3.2.0-0-ge0ed4cfa3d72</a>)
Copyright 1998-2019 Gerald Combs <<a \
href="mailto:gerald@wireshark.org">gerald@wireshark.org</a>> and \
contributors. License GPLv2+: GNU GPL version 2 or later
<<a href="https://www.gnu.org/licenses/gpl-2.0.html">https://www.gnu.org/licenses/gpl-2.0.html</a>>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, without POSIX capabilities, with GLib 2.37.6,
with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with
GnuTLS 3.4.17, with Gcrypt 1.7.7, with MIT Kerberos, with MaxMind DB resolver,
with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with Snappy, with
libxml2 2.9.9.
Running on Mac OS X 10.14.5, build 18F203 (Darwin 18.6.0), with Intel(R)
Core(TM) i7-8850H CPU @ 2.60GHz (with SSE4.2), with 16384 MB of physical
memory,
with locale en_US.UTF-8, with libpcap version 1.8.1 -- Apple version 79.250.1,
with GnuTLS 3.4.17, with Gcrypt 1.7.7, with brotli 1.0.7, with zlib 1.2.11,
binary plugins supported (0 loaded).
Built using clang 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.16).
--
Many apparently well-formed DCE-RPC and LDAP packets containing this field are
producing the expert message "(Warning/Undecoded): Unknown bit(s): \
0x000000" as shown below. The issue is new since 3.0.3 at least. It appears on
built-from-3.2.0tag-source linux version as well as official 3.2.0 MacOS binary
release.
The issue is in epan/dissectors/packet-kerberos.c where APOptions_bits is being
passed to dissect_ber_bitstring. It's objecting to a four-byte field being
passed to the bitstring dissector but with only three bits defined. However, I
don't understand enough about the context to suggest a fix.
Pcap demonstrating the issue is attached. See frame #5.
The tshark -V dissection for this example shows:
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind,
Fragment: Single, FragLen: 1841, Call: 65
Version: 5
Version (minor): 0
Packet type: Bind (11)
Packet Flags: 0x03
[snip]
Auth Info: SPNEGO, Connect, AuthContextId(0)
Auth type: SPNEGO (9)
Auth level: Connect (2)
Auth pad len: 0
Auth Rsrvd: 0
Auth Context ID: 0
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
Simple Protected Negotiation
negTokenInit
mechTypes: 4 items
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft
Kerberos 5)
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
MechType: 1.3.6.1.4.1.311.2.2.30 (NEGOEX - SPNEGO
Extended Negotiation Security Mechanism)
MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft
NTLM Security Support Provider)
mechToken:
6e8206633082065fa003020105a10302010ea20703050020…
krb5_blob:
6e8206633082065fa003020105a10302010ea20703050020…
Kerberos
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options: 20000000
0... .... = reserved: False
.0.. .... = use-session-key: False
..1. .... = mutual-required: True
*** => [Expert Info (Warning/Undecoded): Unknown
bit(s): 0x000000]
*** => [Unknown bit(s): 0x000000]
*** => [Severity level: Warning]
*** => [Group: Undecoded]
ticket
[...]
In previous versions, the dissection was:
[...]
ap-options: 20000000 (mutual-required)
0... .... = reserved: False
.0.. .... = use-session-key: False
..1. .... = mutual-required: True
ticket</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>
--15777428431.BfEFC0.20707--
[Attachment #3 (text/plain)]
___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic