Bug ID |
12748
|
Summary |
Crash in ISAKMP dissector after modifying UAT with IKEv2 keys
|
Product |
Wireshark
|
Version |
2.0.4
|
Hardware |
x86
|
OS |
Ubuntu
|
Status |
UNCONFIRMED
|
Severity |
Normal
|
Priority |
Low
|
Component |
Dissection engine (libwireshark)
|
Assignee |
[email protected]
|
Reporter |
[email protected]
|
Created attachment 14811 [details]
PCAP file with 4 IKEv2 packets, two of them are encrypted with AES-256-CBC
algorithm
Build Information:
wireshark -v
Wireshark 2.0.4
Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GTK+ 3.10.8, with Cairo 1.13.1, with Pango 1.36.3, with
libpcap, with POSIX capabilities (Linux), with libnl 3, with libz 1.2.8, with
GLib 2.40.2, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2, with GnuTLS
2.12.23, with Gcrypt 1.5.3, with MIT Kerberos, with GeoIP, with PortAudio
V19-devel (built Feb 25 2014 21:09:53), without AirPcap.
Running on Linux 3.19.0-65-generic, with locale
LC_CTYPE=pl_PL.UTF-8;LC_NUMERIC=pl_PL.UTF-8;LC_TIME=pl_PL.UTF-8;LC_COLLATE=C;LC_MONETARY=pl_PL.UTF-8;LC_MESSAGES=pl_PL.UTF-8;LC_PAPER=pl_PL.UTF-8;LC_NAME=pl_PL.UTF-8;LC_ADDRESS=pl_PL.UTF-8;LC_TELEPHONE=pl_PL.UTF-8;LC_MEASUREMENT=pl_PL.UTF-8;LC_IDENTIFICATION=pl_PL.UTF-8,
with libpcap version 1.5.3, with libz 1.2.8, with GnuTLS 2.12.23, with Gcrypt
1.5.3.
Intel(R) Core(TM) i5-3230M CPU @ 2.60GHz (with SSE4.2)
Built using gcc 4.8.4.
Crash Also occurs in wireshark 1.10.6 from stock Ubuntu 14.04. LTS package and
still is in master branch on http://code.wireshark.org/
--
Crash occurs after modifying IKEv2 UAT table (which is used to provide keys to
decrypt IKE encrypted packets).
Steps to reproduce:
1. Run Wireshark, edit preferences, select ISAKMP protocol settings
Click Button 'Edit' next to IKEv2 Decryption Table
2. Add keys and parameters needed for decryption of encrypted IKEv2 packets in
fields. In case of using attached pcap file, fill following parameters:
SPI_i: 191CCD371A7A1F7B (Initiator's SPI)
SPI_r: BC123D15E4AF593F (Responder's SPI)
Sk_ei: 9096DDD2933620E8F48122C53A3F562CB0222C1CF97CE41FCC874EA2582A89AC
Sk_er: 6718C6B2BBEF2F234EAC4C13832F885D87B574AFD2AF0111161E99B5DC61B4D4
Sk_ai: 12D532C3E83C757906AF548DFE1CCF223CA5507AF77898454E2D55C8ACE57A17
Sk_ar: 30C4EAD18C93024B58A86C1E3DB60F550221801026853170B4CB0248D3A95329
encryption algo: "AES-CBC-256 [RFC3602]"
integrity algo:"HMAC_SHA2_256_128 [RFC4868]"
3. Add another key set (values are not significant), ie:
SPI_i: 1234567890123456
SPI_r: 0987654321098765
encryption algo: NULL
integrity algo: NULL
4. Click OK for saving these keys, and OK in preference window for save
preferences.
5. Open pcap file with IEv2 traffic, some pacets encrypted with one of added
key sets. Confirm that encrypted IKE packets are correctly decrypted in
Wireshark.
6. Edit once more IKEv2 Decryption Table. Delete not-matching pcap file key set
(added in point 3). Click OK for close IKEv2 Decryption Table dialog and once
more for closing preferences.
7. Crash occurs
Notes:
Crash occurs on GTK and also Qt versions of wireshark
I observed this behaviour on 1.10.6 stock Ubuntu 14.04 LTS version, and GIT
versions: latest from master-1.10 head, latest from master-1.12 head and in
latest master head.
I provide test keys, pcap file and pre-filled IKEv2 Decryption Table
(ikev2_decryption_table, which can be put in ~/.wireshark directory) with keys
already filled for testing.
In case of using provided ikev2_decryption_table file, you can skip steps 1-5.
Crash occurs also if steps 6 and 7 are swapped.
I noticed crash does not occur if previously ikev2_decryption_table was empty
(so step 6 is necessary for reproducing bug).
No crash occurs if ikev2_decryption_table is not modified.
You are receiving this mail because:
- You are watching all bug changes.