Wireshark-users: [Wireshark-users] in >wireshark-2.0.2, tshark follow ssl stream segfaults

Date Prev · Date Next · Thread Prev · Thread Next
From: Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx>
Date: Tue, 12 Jul 2016 20:11:13 +0200
Hi!

(Gentoo meta distro here, but I can't tell if I should file a bug on
Gentoo bugzilla or Wireshark bugzilla, so I'm trying ML first.)

I just tried (after downgrade-reinstall), and the following problem does
not occur with:

TShark (Wireshark) 2.0.2 (SVN Rev Unknown from unknown)
...
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with libz 1.2.8, with GLib 2.48.1, with SMI 0.5.0, without c-ares, without ADNS,
with Lua 5.1, with GnuTLS 3.4.14, with Gcrypt 1.7.1, without Kerberos, without
GeoIP.

Running on Linux 4.5.7-hardened-r7-160710, with locale en_GB.utf8, with libpcap
version 1.7.4, with libz 1.2.8, with GnuTLS 3.4.14, with Gcrypt 1.7.1.
AMD Phenom(tm) II X4 965 Processor

Built using gcc 5.4.0.

However, it occurs with greater versions (can't recall which one exact
other --only one other version as well I tried-- I had this problem
with, but I'll report it now with:

TShark (Wireshark) 2.1.0 (Git Rev Unknown from unknown)
...
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.48.1, with zlib 1.2.8, with SMI 0.5.0, without c-ares, with Lua 5.1,
with GnuTLS 3.4.14, with Gcrypt 1.7.1, without Kerberos, without GeoIP.

Running on Linux 4.5.7-hardened-r7-160710, with locale en_GB.utf8, with libpcap
version 1.7.4, with GnuTLS 3.4.14, with Gcrypt 1.7.1, with zlib 1.2.8.
AMD Phenom(tm) II X4 965 Processor

Built using gcc 5.4.0.

---
And now the problem. I figured out something was wrong because my
(primitive) program:
https://github.com/miroR/tshark-streams.git
wouldn't get SSL streams neither as ascii (text) nor as binary (raw)
(see the script pls.).

Samples for checking with the above versions are only two files from. I
used these because the trace is short enough, and all is already
posted:
http://www.croatiafidelis.hr/foss/cap/cap-160606-dns-hr/

dump_160606_1328_g0n.pcap
	and
dump_160606_1xxx_SSLKEYLOGFILE.txt

Now, running this command with greater version than 2.0.2 of Wireshark
(such as 2.1.0):

tshark -o "ssl.keylog_file: dump_160606_1xxx_SSLKEYLOGFILE.txt" -r \
	"dump_160606_1328_g0n.pcap" -T fields -e data -qz follow,ssl,raw,0 \
	| grep -E '[[:print:]]' > dump_160606_1328_g0n_s000-ssl.raw

gets me these in the syslog:

Jul 12 18:01:53 g0n kernel: [158754.212925] grsec: (miro:U:/) exec of
/usr/bin/tshark (tshark -o ssl.keylog_file:
dump_160606_1xxx_SSLKEYLOGFILE.txt -r dump_160606_1328_g0n.pcap -T
fields -e data -qz follow,ssl,raw,) by /usr/bin/tshark[bash:11975]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29776]
uid/euid:1000/1000 gid/egid:1000/1000

Jul 12 18:01:53 g0n kernel: [158754.213675] grsec: (miro:U:/) exec of
/bin/grep (grep --colour=auto -E [[:print:]] ) by /bin/grep[bash:11976]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29776]
uid/euid:1000/1000 gid/egid:1000/1000

Jul 12 18:01:53 g0n kernel: [158754.612649] traps: tshark[11975] general
protection ip:23c0292717 sp:3cdf3aec7f0 error:0 in
tshark[23c026e000+43000]

Jul 12 18:01:53 g0n kernel: [158754.612673] grsec: (miro:U:/)
Segmentation fault occurred at            (nil) in
/usr/bin/tshark[tshark:11975] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:29776] uid/euid:1000/1000 gid/egid:1000/1000

Jul 12 18:01:53 g0n kernel: [158754.612689] grsec: (miro:U:/) denied
resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for
/usr/bin/tshark[tshark:11975] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:29776] uid/euid:1000/1000 gid/egid:1000/1000

And surely, no SSL streams are extracted... Just some garbage, or
incomplete tiny stubs instead...  Or more errors...

While running that same command with the version of wireshark-2.0.2
(still available in Gentoo portage), runs without errors and gets me the
SSL strams decrypted, either binary (as above) or text. The (primitive)
program tshark-streams.sh that I linked above, gets the streams
automatically, all of them if set to, or some only, without problems
with 2.0.2, SSL or simple TCP streams, and the same program --or just
that command line for quick testing-- does get simple tcp streams
with also wireshark greater than 2.0.2, but does *not* get the SSL with
wireshark greater than 2.0.2.

Does anybody else, with Gentoo or with other distro, has this problem?

Also, as can be seen from the logs, I have a grsecurity-hardened kernel,
it could have to do with that as well... don't know what to try next
(other than keeping with the working older version ;-) but I like to be
closer to the new development ;-) ...).

Regards!

-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attachment: signature.asc
Description: PGP signature