Ethereal-dev: [Ethereal-dev] Problem with MAPI decodes

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Nathan Way" <nathan@xxxxxxxxxxxx>
Date: Mon, 30 Jun 2003 12:48:18 -0700

I am experiencing problems where Ethereal crashes (Segmentation Fault) trying to decode some MAPI packets.  The packets in question are all Logon Reply [Malformed Packet] and what seems to be happening is Ethereal is interpreting the /CN field as a length value, tries to allocate gigabytes worth of memory then faults because it can’t allocate that much RAM.  This behavior is observed in Ethereal 0.9.11, 0.9.12 and 0.9.13, both on RedHat Linux and Windows platforms.  I can sometimes get Ethereal 0.9.7 to read the malformed packet which is how I’m guessing the /CN field is being misinterpreted.

 

Hex dump of packet:

 

09:51:39.626316 192.168.0.2.1032 > 192.168.0.173.1073: P 165:373(208) ack 480 win 8281 (DF)

0x0000      4500 00f8 04dc 4000 8006 7324 c0a8 0002  [email protected]$....

0x0010      c0a8 00ad 0408 0431 e56a 55c9 4bff 2c56  .......1.jU.K.,V

0x0020      5018 2059 2b50 0000 0500 0203 1000 0000  P..Y+P..........

0x0030      d000 1000 0100 0000 9400 0000 0000 0000  ................

0x0040      0000 0000 9657 703b 0509 2b45 8eb2 2f53  .....Wp;..+E../S

0x0050      8313 3045 60ea 0000 0600 0000 1027 0000  ..0E`........'..

0x0060      f500 0c00 f833 e904 2b00 0000 0000 0000  .....3..+.......

0x0070      2b00 0000 2f4f 3d53 4f4c 5554 494f 4e53  +.../O=SOLUTIONS

0x0080      4951 2f4f 553d 434e 414d 4953 2f43 4e3d  IQ/OU=CNAMIS/CN=

0x0090      5245 4349 5049 454e 5453 2f43 4e3d 0000  RECIPIENTS/CN=..

0x00a0      b8ae 6429 1000 0000 0000 0000 1000 0000  ..d)............

0x00b0      416c 6c69 736f 6e20 4c65 6f6e 6172 6400  Allison.Leonard.

0x00c0      0500 5d0a 1700 0500 480c 0000 eeaa 18f0  ..].....H.......

0x00d0      0000 0000 9eb5 28b5 c6b5 df61 e11f 4e70  ......(....a..Np

0x00e0      0a02 0c00 a889 0b00 0100 0000 0000 0000  ................

0x00f0      0000 0000 0000 0000                      ........

 

Output from tethereal:

 

Frame 782 (262 bytes on wire, 262 bytes captured)

    Arrival Time: Jun 30, 2003 09:51:39.626316000

    Time delta from previous packet: 0.004248000 seconds

    Time relative to first packet: 2.939920000 seconds

    Frame Number: 782

    Packet Length: 262 bytes

    Capture Length: 262 bytes

Ethernet II, Src: 00:01:03:33:4a:36, Dst: 00:03:47:d8:79:3b

    Destination: 00:03:47:d8:79:3b (Intel_d8:79:3b)

    Source: 00:01:03:33:4a:36 (3com_33:4a:36)

    Type: IP (0x0800)

Internet Protocol, Src Addr: 192.168.0.2 (192.168.0.2), Dst Addr: 192.168.0.173 (192.168.0.173)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 248

    Identification: 0x04dc (1244)

    Flags: 0x04

        .1.. = Don't fragment: Set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 128

    Protocol: TCP (0x06)

    Header checksum: 0x7324 (correct)

    Source: 192.168.0.2 (192.168.0.2)

    Destination: 192.168.0.173 (192.168.0.173)

Transmission Control Protocol, Src Port: 1032 (1032), Dst Port: 1073 (1073), Seq: 3848951241, Ack: 1275014230, Len: 208

    Source port: 1032 (1032)

    Destination port: 1073 (1073)

    Sequence number: 3848951241

    Next sequence number: 3848951449

    Acknowledgement number: 1275014230

    Header length: 20 bytes

    Flags: 0x0018 (PSH, ACK)

        0... .... = Congestion Window Reduced (CWR): Not set

        .0.. .... = ECN-Echo: Not set

        ..0. .... = Urgent: Not set

        ...1 .... = Acknowledgment: Set

        .... 1... = Push: Set

        .... .0.. = Reset: Not set

        .... ..0. = Syn: Not set

        .... ...0 = Fin: Not set

    Window size: 8281

    Checksum: 0x2b50 (correct)

DCE RPC

    Version: 5

    Version (minor): 0

    Packet type: Response (2)

    Packet Flags: 0x03

        0... .... = Object: Not set

        .0.. .... = Maybe: Not set

        ..0. .... = Did Not Execute: Not set

        ...0 .... = Multiplex: Not set

        .... 0... = Reserved: Not set

        .... .0.. = Cancel Pending: Not set

        .... ..1. = Last Frag: Set

        .... ...1 = First Frag: Set

    Data Representation: 10000000

        Byte order: Little-endian (1)

        Character: ASCII (0)

        Floating-point: IEEE (0)

    Frag Length: 208

    Auth Length: 16

    Call ID: 1

    Alloc hint: 148

    Context ID: 0

    Cancel count: 0

    Auth type: NTLMSSP (10)

    Auth level: Connect (2)

    Auth pad len: 12

    Auth Rsrvd: 0

    Auth Context ID: 756136

    Auth padding

    Opnum: 0

    Request in: 715

    Time from request: 0.031980000 seconds

    NTLMSSP Verifier

        Version Number: 1

        Verifier Body: 000000000000000000000000

Microsoft Exchange MAPI

    Operation: Logon (0)

    Policy Handle

        Context Handle: 000000009657703B05092B458EB22F53...

    unknown data (20 bytes)

    Unknown string: /O=SOLUTIONSIQ/OU=CNAMIS/CN=RECIPIENTS/CN=

        Max Count: 43

        Offset: 0

        Actual Count: 43

        Unknown string: /O=SOLUTIONSIQ/OU=CNAMIS/CN=RECIPIENTS/CN=

    Unknown long: 0x2964aeb8

    Unknown string: Allison Leonard

        Max Count: 16

        Offset: 0

        Actual Count: 16

        Unknown string: Allison Leonard

    unknown data (16 bytes)

    Return code: STATUS_SUCCESS (0x00000000)

 

The Ethereal GUI interprets the “Unknown string: Allison Leonard” as an Unknown String of Length 1768713281.

 

Other than disabling the MAPI decoder, is there a patch or anything to fix this problem? 

 

Thanks!

_______________________________

Nathan Way

CCIE #2188

Datanode, LLC

(425) 823-6661 / (800) 876-4275