[Wireshark-bugs] [Bug 13191] Malformed Packet - SSL
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13191 --- Comment #3 from Peter Wu --- No idea what 17 00 15 00 belongs to, though one could interpret "00 15" as a length of 21 (for 00 00 12 77 77 ...), but then you still have an excess "17" (23). 23 is also the record layer type for Application Data, but that meaning seems unlikely here. -- You are receiving this mail because: You are watching all bug changes. ___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 13191] Malformed Packet - SSL
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13191 tzahpahima...@gmail.com changed: What|Removed |Added Status|RESOLVED|VERIFIED -- You are receiving this mail because: You are watching all bug changes. ___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 13191] Malformed Packet - SSL
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13191 --- Comment #2 from tzahpahima...@gmail.com --- (In reply to Peter Wu from comment #1) > The capture seems malformed. > > Frame 11 + 12, reassembled: > [Client Hello ...] > [elliptic_curves extension ...] > 00 00 Extension Type: Server Name Indication (0) > 17 00 Extension Length: 5888 (!) > > > Interpreting it in a slightly different way: > [Client Hello ...] > [elliptic_curves extension ...] > 00 00 Extension Type: Server Name Indication (0) > 17 00 15 00 (?? what is this garbage) > 00 12 Length: 18 > 77 77 77 2e 73 61 6d 73 75 6e 67 6f 74 6e 2e 6e 65 74 www.samsungotn.net > 00 0b Extension Type: EC Point Formats > 00 04 Length: 4 > 03 00 01 02 > 00 0a Extension Type: supported_groups (renamed from elliptic_curves) > 00 34 Length: 52 > 00 32 00 01 00 02 00 03 00 04 00 ... > > This makes no sense, your MITM tool is broken, it is producing garbage that > (rightfully) makes the server reset the connection. > > Though for some weird reason, frame 199 does contain a Server Hello (in > response to the malformed Client Hello in frame 198). Is this an attempt to > exploit a vulnerability? Very weird, my MITM tool only modifies the packet using scapy with scapy_ssl_tls and python 2.7.11 and shouldn't be outputting any garbage. Any idea what 17 00 15 00 might belong to? Seems weird to me but I'll try to check it. I am trying to actually exploit a vulnerability in the client - not the server, but now that you mention that server hello it actually is pretty interesting - although I don't think it might indicate a vulnerability (maybe a problem with SSL implementation but it doesn't seem to lead anywhere). -- You are receiving this mail because: You are watching all bug changes. ___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 13191] Malformed Packet - SSL
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13191 Peter Wu changed: What|Removed |Added Status|CONFIRMED |RESOLVED Resolution|--- |NOTABUG --- Comment #1 from Peter Wu --- The capture seems malformed. Frame 11 + 12, reassembled: [Client Hello ...] [elliptic_curves extension ...] 00 00 Extension Type: Server Name Indication (0) 17 00 Extension Length: 5888 (!) Interpreting it in a slightly different way: [Client Hello ...] [elliptic_curves extension ...] 00 00 Extension Type: Server Name Indication (0) 17 00 15 00 (?? what is this garbage) 00 12 Length: 18 77 77 77 2e 73 61 6d 73 75 6e 67 6f 74 6e 2e 6e 65 74 www.samsungotn.net 00 0b Extension Type: EC Point Formats 00 04 Length: 4 03 00 01 02 00 0a Extension Type: supported_groups (renamed from elliptic_curves) 00 34 Length: 52 00 32 00 01 00 02 00 03 00 04 00 ... This makes no sense, your MITM tool is broken, it is producing garbage that (rightfully) makes the server reset the connection. Though for some weird reason, frame 199 does contain a Server Hello (in response to the malformed Client Hello in frame 198). Is this an attempt to exploit a vulnerability? -- You are receiving this mail because: You are watching all bug changes. ___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 13191] Malformed Packet - SSL
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13191 Alexis La Goutte changed: What|Removed |Added CC||pe...@lekensteyn.nl -- You are receiving this mail because: You are watching all bug changes. ___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 13191] Malformed Packet - SSL
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13191 Alexis La Goutte changed: What|Removed |Added CC||alexis.lagou...@gmail.com -- You are receiving this mail because: You are watching all bug changes. ___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 13191] Malformed Packet - SSL
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13191 tzahpahima...@gmail.com changed: What|Removed |Added Status|UNCONFIRMED |CONFIRMED Ever confirmed|0 |1 -- You are receiving this mail because: You are watching all bug changes. ___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe