Wireshark-bugs: [Wireshark-bugs] [Bug 9398] New: dissectors bug with a SASL/GSSAPI/Kerberos secu

Date: Thu, 07 Nov 2013 21:00:10 +0000
Bug ID 9398
Summary dissectors bug with a SASL/GSSAPI/Kerberos security layer employing integrity only (no encryption)
Classification Unclassified
Product Wireshark
Version 1.10.3
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 12039 [details]
LDAP with SASL layer, integrity-only

Build Information:
Version 1.8.4 (SVN Rev 46250 from /trunk-1.8)

Copyright 1998-2012 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.10, with Cairo 1.10.2, with Pango 1.30.0, with
GLib 2.32.2, with WinPcap (4_1_2), with libz 1.2.5, without POSIX capabilities,
with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS
2.12.18, with Gcrypt 1.4.6, without Kerberos, with GeoIP, with PortAudio
V19-devel (built Nov 28 2012), with AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.12.18, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 10.0 build 40219

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
The dissectors for SASL/GSSAPI/Kerberos do not correctly handle a SASL security
layer with integrity only (no encryption). The problem is that the code in
packet-spnego.c (dissect_spnego_krb5()) looks for the checksum before the
plaintext (right after the sequence number), whereas in the case of
integrity-only it comes *after* the plaintext (I believe the correct reference
here is RFC 4121 section 4.2.6.2). Thus, it misidentifies part of the plaintext
as the checksum, and then throws a decoding error when it tries to interpret
the following bytes as an LDAP message.

The dissectors do work properly in the case of a SASL layer *with* encryption
(employing the Kerberos dissector feature which can decrypt messages given an
appropriate keytab).

I am attaching a packet capture of an LDAP connection using GSSAPI/Kerberos
with an integrity-only SASL layer, which demonstrates the problem. The server
in this case is OpenLDAP 2.4.23-32.el6_4.1.

Thanks,

Richard E. Silverman


You are receiving this mail because:
  • You are watching all bug changes.