Wireshark-users: Re: [Wireshark-users] Malformed packet within Putty's 0.52 SSH

Date: Sat, 07 Oct 2006 10:11:37 -0400
Andrew Hood wrote:
LDB wrote:

Within Ethereal I am detecting a malformed packet coming
from a Putty SSH Client using version 0.52. Could my users
have downloaded a tainted version of Putty?


Does PuTTY think it is malformed? My observation is that this usually
happens tunnelling an X client. PuTTY pops up an error dialog, closes
the connection and the X client then proceeds to crash.

What version of Windows is this? I see it quite often on NT, but not on
XP with the same binaries compiled with MSVC7. (To add some options not
included in the standard version.)

XP



Also, why does Ethereal consider it a malformed packet from SSH?


Because it might be malformed, or contains encodings Ethereal/WireShark
does not expect.
sshd2[30327]: WARNING: DNS lookup failed for "10.10.11.2"
SSH-2.0-3.2.9 SSH Secure Shell

SSH-2.0-PuTTY-Release-0.52

..........5G"` .......BA.....W.k..:.".....diffie-hellman-g
..........2.A>....(..d...=diffie-hellman-group-exchange-sh
..........oI....J\F`.i$.~....A..1 d....H.a....7.r..u....w.
...........jQ............1....ssh-dss.......h.{......[v#r.
..............E.....
...qp.).dPv
....
....C......
.dS.6~.............Yr.c*.........T......9....F..3.ii
%...?l.E.E...r...8....L=..z0.......)...I3...r.....1.u.....
...f`.:..k..`.:?H..P..r
f.....ZW^...A.......t.c...>.....x?
:..H..d~.$.M.^V.h{5w....}J..g0..y4.....597.e.....*.g....3.
..........>JR.g z|....l.lM........U.w~........N.......oL.'
.....
..."$M..e...fJ:....KTG....V..`.N....Y..2W.
>g.~..$)


The above was produced in Expert Info and Follow TCP Streams shown as
ASCII. Actually I have attached ASCII and hexdump formats.


As suggested a capture trace might help, including the "malformed"
packet(s), but if you can produce a small complete session exhibiting
the error it might be more helpful.

I would have done this before, but since I have not been able to get
WinPCAP working on Token Ring for months, I haven't.


sshd2[30327]: WARNING: DNS lookup failed for "10.8.4.3
SSH-2.0-3.2.9 SSH Secure Shell

SSH-2.0-PuTTY-Release-0.52

..........5G"` .......BA.....W.k..:.".....diffie-hellman-g
..........2.A>....(..d...=diffie-hellman-group-exchange-sh
..........oI....J\F`.i$.~....A..1 d....H.a....7.r..u....w.
...........jQ............1....ssh-dss.......h.{......[v#r.
..............E.....
...qp.).dPv
....
....C......
.dS.6~.............Yr.c*.........T......9....F..3.ii
%...?l.E.E...r...8....L=..z0.......)...I3...r.....1.u.....
...f`.:..k..`.:?H..P..r
f.....ZW^...A.......t.c...>.....x?
:..H..d~.$.M.^V.h{5w....}J..g0..y4.....597.e.....*.g....3.
..........>JR.g z|....l.lM........U.w~........N.......oL.'
.....
..."$M..e...fJ:....KTG....V..`.N....Y..2W.
>g.~..$)
                                                                              00000000  73 73 68 64 32 5b 33 30  33 32 37 5d 3a 20 57 41 sshd2[30 327]: WA

                                                                              00000010  52 4e 49 4e 47 3a 20 44  4e 53 20 6c 6f 6f 6b 75 RNING: D NS looku

                                                                              00000020  70 20 66 61 69 6c 65 64  20 66 6f 72 20 22 31 30 p failed  for "10

                                                                              00000030  2e 31 31 38 2e 32 34 2e  32 33                   .11.2. 3

                                                                              0000003A  53 53 48 2d 32 2e 30 2d  33 2e 32 2e 39 20 53 53 SSH-2.0- 3.2.9 SS

                                                                              0000004A  48 20 53 65 63 75 72 65  20 53 68 65 6c 6c 0d 0a H Secure  Shell..

00000000  53 53 48 2d 32 2e 30 2d  50 75 54 54 59 2d 52 65 SSH-2.0- PuTTY-Re

00000010  6c 65 61 73 65 2d 30 2e  35 32 0a                lease-0. 52.

                                                                              0000005A  00 00 00 0c 06 02 00 00  00 00 35 47 22 60 20 ec ........ ..5G"` .

                                                                              0000006A  00 00 01 d4 06 14 42 41  b4 d4 ef c8 96 57 ca 6b ......BA .....W.k

                                                                              0000007A  96 ea 3a ef 22 16 00 00  00 1a 64 69 66 66 69 65 ..:."... ..diffie

                                                                              0000008A  2d 68 65 6c 6c 6d 61 6e  2d 67                   -hellman -g

0000001B  00 00 01 e4 0b 14 19 c8  9d 14 32 fc 41 3e bb b2 ........ ..2.A>..

0000002B  f0 c8 28 9b 9a 64 00 00  00 3d 64 69 66 66 69 65 ..(..d.. .=diffie

0000003B  2d 68 65 6c 6c 6d 61 6e  2d 67 72 6f 75 70 2d 65 -hellman -group-e

0000004B  78 63 68 61 6e 67 65 2d  73 68                   xchange- sh

00000055  00 00 00 8c 06 1e 00 00  00 80 6f 49 d0 99 11 98 ........ ..oI....

00000065  4a 5c 46 60 c1 69 24 ea  7e 1b 1c b3 13 41 bd 95 J\F`.i$. ~....A..

00000075  31 20 64 0c 1f 90 11 48  83 61 17 bb c9 0b 37 cd 1 d....H .a....7.

00000085  72 fb 84 75 bd e3 fe 81  77 b1                   r..u.... w.

                                                                              00000094  00 00 00 0c 06 02 00 00  00 00 ea 6a 51 c2 9d a4 ........ ...jQ...

                                                                              000000A4  00 00 03 fc 06 1f 00 00  03 31 00 00 00 07 73 73 ........ .1....ss

                                                                              000000B4  68 2d 64 73 73 00 00 01  01 00 95 9a 68 f0 7b 96 h-dss... ....h.{.

                                                                              000000C4  e4 d7 81 94 cf 5b 76 23  72 8e                   .....[v# r.

                                                                              000000CE  00 00 00 0c 06 02 00 00  00 00 b9 7f e5 82 45 c6 ........ ......E.

                                                                              000000DE  00 00 00 0c 0a 15 f8 86  71 70 d4 29 e0 64 50 76 ........ qp.).dPv

0000008F  00 00 00 0c 0a 15 1e f7  ce 43 e0 0e e4 1f a1 19 ........ .C......

0000009F  a0 64 53 d5 36 7e fa be  de c9 92 f8 fe 04 12 b3 .dS.6~.. ........

000000AF  07 b3 90 59 72 97 63 2a  91 af a9 ae 12 a0 1d 7f ...Yr.c* ........

000000BF  d0 54 e5 e6 9a f3 cb cc  39 01 e4 f1 1f 46 af dd .T...... 9....F..

000000CF  33 d9 69 69                                      3.ii

                                                                              000000EE  25 a2 0f db 3f 6c e5 45  db 45 da 14 e9 72 d2 ca %...?l.E .E...r..

                                                                              000000FE  8f 38 0f d3 88 8b 4c 3d  ea 15 7a 30 dc fa fe ab .8....L= ..z0....

                                                                              0000010E  b1 f2 fa 29 c6 f6 f9 49  33 b9 a5 d2 72 b6 fa a3 ...)...I 3...r...

                                                                              0000011E  ca c7 31 ab 75 11 c0 85  b3 db                   ..1.u... ..

000000D3  ca af b3 66 60 b5 3a 11  9b 6b cb e5 60 bf 3a 3f ...f`.:. .k..`.:?

000000E3  48 ed 1d 50 86 83 72 0a  66 9a 98 f1 ac 15 5a 57 H..P..r. f.....ZW

000000F3  5e ca ae af 41 b5 1e d3  b7 bb 0e eb 74 c3 63 ef ^...A... ....t.c.

00000103  80 14 3e a4 b9 b8 12 b3  78 3f                   ..>..... x?

                                                                              00000128  3a c1 bd 48 c9 0c 64 7e  c1 24 9b 4d 0e 5e 56 e6 :..H..d~ .$.M.^V.

                                                                              00000138  68 7b 35 77 1b e8 f7 8f  7d 4a d7 1f 67 30 1b b1 h{5w.... }J..g0..

                                                                              00000148  79 34 92 8a f8 cd cc 35  39 37 fd 65 e7 ce 08 08 y4.....5 97.e....

                                                                              00000158  a3 2a 0b 67 a0 db 85 8a  33 f1                   .*.g.... 3.

                                                                              00000162  bb 87 9c 99 0b 97 eb ff  06 c7 3e 4a 52 ad 67 20 ........ ..>JR.g 

                                                                              00000172  7a 7c 1c d9 84 81 6c 7f  6c 4d ac 0e c8 ff 0c 7f z|....l. lM......

                                                                              00000182  cc 9d 55 0e 77 7e ac a4  9c e5 12 ae f8 c0 4e ee ..U.w~.. ......N.

                                                                              00000192  d9 cc 1a dc d8 f9 6f 4c  04 27                   ......oL .'

                                                                              0000019C  13 fc bd df 0f 0a d1 17  b2 22 24 4d aa c8 65 c6 ........ ."$M..e.

                                                                              000001AC  ea b9 66 4a 3a e2 91 e3  10 4b 54 47 c6 cb cf f2 ..fJ:... .KTG....

                                                                              000001BC  56 eb e3 60 05 4e 8f b5  ac c6 59 04 96 32 57 1b V..`.N.. ..Y..2W.

                                                                              000001CC  0a 3e 67 c9 7e 0b d0 24  29 0d                   .>g.~..$ ).