Wireshark-bugs: [Wireshark-bugs] [Bug 9988] New: Unencrypted heartbeat requests are marked as en

Date: Mon, 14 Apr 2014 12:29:18 +0000
Bug ID 9988
Summary Unencrypted heartbeat requests are marked as encrypted
Classification Unclassified
Product Wireshark
Version Git
Hardware All
OS All
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 12692 [details]
Malicious and normal heartbeats (gzip-compressed pcapng)

Build Information:
v1.11.3-rc1-2361-g92b5013
--
The attached packet gets marked as an encrypted heartbeat request. However, all
record contents before the ChangeCipherSpec message is unencrypted. This bug
also makes it impossible to detect the Heartbleed bug using the expert info
filter.

The capture consists of two sessions:

 1. Client exploitation[1] of Heartbleed (using vulnerable OpenSSL):

    ./pacemaker.py -x2 -n 0xffed
    curl -o /dev/null https://localhost:4433/
 2. Normal, legit, encrypted heartbeats using:

    openssl s_server
    openssl s_client -connect 0:4433 -cipher AES128-SHA

    Issue the "B" command to trigger heartbeats. The keys for this capture file
can be found below.

premaster.txt (join the three parts on a single space-separated line):

CLIENT_RANDOM

1262217b86f7155305c3045fa3f49b78e98e08df3bc01c8a4fa9c8bec9fb9918

c55e3c28faa0f5c9c19726d5ac1ae421a95deac89849ee398095c4d6c66e0ae5d3acc6e77406e9646e8208bfea21fad8


 [1]: https://github.com/Lekensteyn/pacemaker


You are receiving this mail because:
  • You are watching all bug changes.