https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15206
Bug ID: 15206
Summary: OPC UA decoding does not consider the signature of
message chunks
Product: Wireshark
Version: 2.6.4
Hardware: x86
OS: Windows 7
Status: UNCONFIRMED
Severity: Major
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: j...@hms.se
Target Milestone: ---
Created attachment 16649
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16649&action=edit
Create Session Request/Response
Build Information:
Version 2.6.4 (v2.6.4-0-g29d48ec8)
Copyright 1998-2018 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software;
see the source for copying conditions. There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.9.5, with WinPcap (4_1_3), with GLib 2.42.0, with
zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS
3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with MaxMind DB resolver, with
nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia,
with AirPcap, with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM)
i7-6600U CPU @ 2.60GHz (with SSE4.2), with 7856 MB of physical memory, with
locale Swedish_Sweden.1252, with WinPcap version 4.1.3 (packet.dll version
4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with
GnuTLS 3.4.11, with Gcrypt 1.7.6, without AirPcap, binary plugins supported (14
loaded). Built using Microsoft Visual C++ 14.12 build 25835
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
When Wireshark concatenates several message chunks into a complete message when
the secure channel is signed, it does not consider the signature in the end of
each message chunk when decoding the message. This makes Wireshark to fail when
it tries to parse the message. All data that has been transmitted in the first
message chunk is parsed properly, but all data from message chunk 2 and forward
fails as it treats the signature of the first message chunk as message data.
In the attached Wireshark log a CreateSessionRequest is sent to an OPC UA
server and a response is received in return. The message chunk size is 8192
bytes (minimum allowed chunk size) and the response is therefore transferred in
two message chunks. The first chunk is completed in frame 12. The second chunk
is only one TCP frame and is received in frame 14. Wireshark can parse the
response until the ServerCertificate of ServerEndpoint[4]. This is also the
location where the message is split between message chunk 1 and 2.
What I can see, is that the message signature of message chunk 1 (last 20 bytes
of frame 12) is treated as message data and in this case as part of the
ServerCertificate of ServerEndpoint[4]. All data is then offset by 20 bytes and
Wireshark fails to parse the remaining message data.
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
