Wireshark-bugs: [Wireshark-bugs] [Bug 4665] New: NTLMSSP_AUTH domain, user and host truncated wh
Date: Mon, 12 Apr 2010 19:31:57 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4665

           Summary: NTLMSSP_AUTH domain, user and host truncated when
                    NTLMSSP_CHALLENGE not in trace
           Product: Wireshark
           Version: 1.2.7
          Platform: x86
        OS/Version: Windows XP
            Status: NEW
          Severity: Minor
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: mgsholaas@xxxxxxxxx


Created an attachment (id=4520)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4520)
Traces and screen shots illustrating the problem

Build Information:
Version 1.2.7 (SVN Rev 32341)

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.16.6, with GLib 2.22.4, with WinPcap (version unknown),
with libz 1.2.3, without POSIX capabilities, without libpcre, with SMI 0.4.8,
with c-ares 1.7.0, with Lua 5.1, with GnuTLS 2.8.5, with Gcrypt 1.4.5, with MIT
Kerberos, with GeoIP, with PortAudio V19-devel (built Mar 31 2010), with
AirPcap.

Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1.1
(packet.dll version 4.1.0.1753), based on libpcap version 1.0 branch 1_0_rel0b
(20091008), GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 30729

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
In the decode of an NTLMSSP authentication handshake, if there is no complete
NTLMSSP_CHALLENGE in the trace (either it was deleted/not captured, or the
server never used one), in the decode of the NTLMSSP_AUTH, the domain, user and
host decodes are truncated to 1 character, though the complete values clearly
exist as seen in the packet bytes. I've a attached a zip file
(NTLMSSP_DecodeProb.zip) with two traces, one containing an NTLMSSP_CHALLENGE
as well as an NTLMSSP_AUTH (NTLMSSP_DecodeProb-1.cap), and the second identical
to the first except the NTLMSSP_CHALLENGE (2 frames) has been deleted
(NTLMSSP_DecodeProb-1.cap). In their respective screenshots, you can see
domain, user and host displays are complete in the first, truncated in the
second. Merely filtering out the NTLMSSP_CHALLENGE from the display does not
cause the problem; it has to be deleted from the file. This behavior is not
unique to 1.2.7 but goes back at least several versions. I've just started
tracing a proxy which does not use NTLMSSP_CHALLENGE and therefore the summary
and detail lines make it appear that the proxy is accepting incorrect
credentials. I have to check the frame bytes to know for sure.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.