Wireshark-bugs: [Wireshark-bugs] [Bug 12616] New: in >wireshark-2.0.2, tshark follow ssl stream
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 13 Jul 2016 06:28:22 +0000
Bug ID 12616
Summary in >wireshark-2.0.2, tshark follow ssl stream segfaults
Product Wireshark
Version unspecified
Hardware x86
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component TShark
Assignee bugzilla-admin@wireshark.org
Reporter miro.rovis@croatiafidelis.hr 

Created attachment 14722 [details]
sample PCAP for the command in text

Build Information:
TShark (Wireshark) 2.1.0 (Git Rev Unknown from unknown)
...
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.48.1, with zlib 1.2.8, with SMI 0.5.0, without c-ares, with Lua
5.1,
with GnuTLS 3.4.14, with Gcrypt 1.7.1, without Kerberos, without GeoIP.

Running on Linux 4.5.7-hardened-r7-160710, with locale en_GB.utf8, with libpcap
version 1.7.4, with GnuTLS 3.4.14, with Gcrypt 1.7.1, with zlib 1.2.8.
AMD Phenom(tm) II X4 965 Processor

Built using gcc 5.4.0.
--
With wireshark of greater versions than wireshark-2.0.2, I noticed that tshark
does recover SSL streams correctly, but crashes with a segmentation fault.

Pls. use the attached files dump_160606_1328_g0n.pcap and
dump_160606_1xxx_SSLKEYLOGFILE.txt.

This command (as well as anything that extracts SSL from my
https://github.com/miroR/tshark-streams.git simple --and unfinished--
program):

tshark -o "ssl.keylog_file: dump_160606_1xxx_SSLKEYLOGFILE.txt" -r \
    "dump_160606_1328_g0n.pcap" -T fields -e data -qz follow,ssl,raw,0 \
    | grep -E '[[:print:]]' > dump_160606_1328_g0n_s000-ssl.raw

gets me these lines in the syslog:

Jul 12 18:01:53 g0n kernel: [158754.212925] grsec: (miro:U:/) exec of
/usr/bin/tshark (tshark -o ssl.keylog_file:
dump_160606_1xxx_SSLKEYLOGFILE.txt -r dump_160606_1328_g0n.pcap -T
fields -e data -qz follow,ssl,raw,) by /usr/bin/tshark[bash:11975]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29776]
uid/euid:1000/1000 gid/egid:1000/1000

Jul 12 18:01:53 g0n kernel: [158754.213675] grsec: (miro:U:/) exec of
/bin/grep (grep --colour=auto -E [[:print:]] ) by /bin/grep[bash:11976]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:29776]
uid/euid:1000/1000 gid/egid:1000/1000

Jul 12 18:01:53 g0n kernel: [158754.612649] traps: tshark[11975] general
protection ip:23c0292717 sp:3cdf3aec7f0 error:0 in
tshark[23c026e000+43000]

Jul 12 18:01:53 g0n kernel: [158754.612673] grsec: (miro:U:/)
Segmentation fault occurred at            (nil) in
/usr/bin/tshark[tshark:11975] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:29776] uid/euid:1000/1000 gid/egid:1000/1000

Jul 12 18:01:53 g0n kernel: [158754.612689] grsec: (miro:U:/) denied
resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for
/usr/bin/tshark[tshark:11975] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:29776] uid/euid:1000/1000 gid/egid:1000/1000

and tshark gets only garbage or very incomplete stubs of, or empty data
instead of SSL streams either raw, as above, or ascii (pls see the
tshark-streams.sh in the linked github page for that). With, I think also
wireshark-2.0.4, but tested and always reproducible here, with
wireshark-2.0.6.

This bug was filed after some cosideration that can be perused in the thread
starting last night (Europe here) on wireshark-users ML (in the archives this
is the first message:
https://www.wireshark.org/lists/wireshark-users/201607/msg00000.html ).

Miroslav Rovis
http://www.CroatiaFidelis.hr/

P.S. It allows me to post only one attachment. The sslkeylogfile should follow.

You are receiving this mail because:
  • You are watching all bug changes.