Ethereal-dev: [Ethereal-dev] Problem with MAPI decodes
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
I am experiencing problems where Ethereal crashes
(Segmentation Fault) trying to decode some MAPI packets. The packets in question are all Logon
Reply [Malformed Packet] and what seems to be happening is Ethereal is
interpreting the /CN field as a length value, tries to allocate gigabytes worth
of memory then faults because it can’t allocate that much RAM. This behavior is observed in Ethereal
0.9.11, 0.9.12 and 0.9.13, both on RedHat Linux and
Windows platforms. I can sometimes
get Ethereal 0.9.7 to read the malformed packet which is how I’m guessing
the /CN field is being misinterpreted. Hex dump of packet: 09:51:39.626316 192.168.0.2.1032 > 192.168.0.173.1073:
P 165:373(208) ack 480 win 8281 (DF) 0x0000
4500 00f8 04dc 4000 8006 7324 c0a8 0002 [email protected]$.... 0x0010
c0a8 00ad 0408 0431 e56a 55c9 4bff 2c56 .......1.jU.K.,V 0x0020
5018 2059 2b50 0000 0500 0203 1000 0000 P..Y+P.......... 0x0030
d000 1000 0100 0000 9400 0000 0000 0000 ................ 0x0040
0000 0000 9657 703b 0509 2b45 8eb2 2f53 .....Wp;..+E../S 0x0050
8313 3045 60ea 0000 0600 0000 1027 0000 ..0E`........'.. 0x0060
f500 0c00 f833 e904 2b00 0000 0000 0000 .....3..+....... 0x0070
2b00 0000 2f4f 3d53 4f4c 5554 494f 4e53 +.../O=SOLUTIONS 0x0080
4951 2f4f 553d 434e 414d 4953 2f43 4e3d IQ/OU=CNAMIS/CN= 0x0090
5245 4349 5049 454e 5453 2f43 4e3d 0000 RECIPIENTS/CN=.. 0x00a0
b8ae 6429 1000 0000 0000 0000
1000 0000 ..d)............ 0x00b0 416c 6c69 736f 6e20
4c65 6f6e 6172 6400 Allison.Leonard. 0x00c0
0500 5d0a 1700 0500 480c 0000 eeaa 18f0 ..].....H....... 0x00d0
0000 0000 9eb5 28b5 c6b5 df61 e11f 4e70 ......(....a..Np 0x00e0
0a02 0c00 a889 0b00 0100 0000 0000 0000 ................ 0x00f0
0000 0000 0000 0000
........ Output from tethereal: Frame 782 (262 bytes on wire, 262 bytes captured)
Arrival Time:
Time delta from previous packet: 0.004248000 seconds
Time relative to first packet: 2.939920000 seconds
Frame Number: 782
Packet Length: 262 bytes
Capture Length: 262 bytes Ethernet II, Src:
Destination:
Source:
Type: IP (0x0800) Internet Protocol, Src Addr: 192.168.0.2 (192.168.0.2), Dst Addr: 192.168.0.173 (192.168.0.173)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000
00.. = Differentiated Services Codepoint:
Default (0x00) ....
..0. = ECN-Capable Transport (ECT): 0 ....
...0 = ECN-CE: 0
Total Length: 248
Identification: 0x04dc (1244)
Flags: 0x04 .1.. = ..0.
= More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x7324 (correct)
Source: 192.168.0.2 (192.168.0.2)
Destination: 192.168.0.173 (192.168.0.173) Transmission Control Protocol,
Source port: 1032 (1032)
Destination port: 1073 (1073)
Sequence number: 3848951241
Next sequence number: 3848951449
Acknowledgement number: 1275014230
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK) 0...
.... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0.
.... = Urgent: Not set ...1 .... = Acknowledgment: Set ....
1... = Push: Set ....
.0.. = Reset: Not set ....
..0. = Syn: Not set ....
...0 = Fin: Not set
Window size: 8281
Checksum: 0x2b50 (correct) DCE RPC
Version: 5
Version (minor): 0
Packet type: Response (2)
Packet Flags: 0x03 0...
.... = Object: Not set .0.. .... = Maybe: Not set ..0.
.... = Did Not Execute: Not set ...0 .... = Multiplex: Not set ....
0... = Reserved: Not set ....
.0.. = Cancel Pending: Not set ....
..1. = Last Frag: Set ....
...1 = First Frag: Set
Data Representation: 10000000 Byte
order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Frag Length: 208
Auth Length: 16
Call ID: 1
Alloc hint: 148
Context ID: 0
Cancel count: 0
Auth type: NTLMSSP (10)
Auth level: Connect (2)
Auth pad len: 12
Auth Rsrvd: 0
Auth Context ID: 756136
Auth padding
Opnum: 0
Request in: 715
Time from request: 0.031980000 seconds
NTLMSSP Verifier
Version Number: 1
Verifier Body: 000000000000000000000000 Microsoft Exchange MAPI
Operation: Logon (0)
Policy Handle
Context Handle: 000000009657703B05092B458EB22F53...
unknown data (20 bytes)
Unknown string: /O=SOLUTIONSIQ/OU=CNAMIS/CN=RECIPIENTS/CN= Max
Count: 43
Offset: 0
Actual Count: 43
Unknown string: /O=SOLUTIONSIQ/OU=CNAMIS/CN=RECIPIENTS/CN=
Unknown long: 0x2964aeb8
Unknown string: Allison Leonard Max
Count: 16
Offset: 0
Actual Count: 16
Unknown string: Allison Leonard
unknown data (16 bytes)
Return code: STATUS_SUCCESS (0x00000000) The Ethereal GUI interprets the “Unknown
string: Allison Leonard” as an Unknown String of Length 1768713281. Other than disabling the MAPI decoder, is there a
patch or anything to fix this problem?
Thanks! _______________________________ CCIE
#2188 Datanode,
LLC (425)
823-6661 / (800) 876-4275 |
- Follow-Ups:
- Re: [Ethereal-dev] Problem with MAPI decodes
- From: Guy Harris
- Re: [Ethereal-dev] Problem with MAPI decodes
- Prev by Date: [Ethereal-dev] Patch: WSP dissection of SMPP message body
- Next by Date: [Ethereal-dev] ethereal plugin interface
- Previous by thread: Re: [Ethereal-dev] Patch: WSP dissection of SMPP message body
- Next by thread: Re: [Ethereal-dev] Problem with MAPI decodes
- Index(es):