Wireshark-bugs: [Wireshark-bugs] [Bug 9988] New: Unencrypted heartbeat requests are marked as en
| Bug ID |
9988
|
| Summary |
Unencrypted heartbeat requests are marked as encrypted
|
| Classification |
Unclassified
|
| Product |
Wireshark
|
| Version |
Git
|
| Hardware |
All
|
| OS |
All
|
| Status |
UNCONFIRMED
|
| Severity |
Normal
|
| Priority |
Low
|
| Component |
Dissection engine (libwireshark)
|
| Assignee |
bugzilla-admin@wireshark.org
|
| Reporter |
lekensteyn@gmail.com
|
Created attachment 12692 [details]
Malicious and normal heartbeats (gzip-compressed pcapng)
Build Information:
v1.11.3-rc1-2361-g92b5013
--
The attached packet gets marked as an encrypted heartbeat request. However, all
record contents before the ChangeCipherSpec message is unencrypted. This bug
also makes it impossible to detect the Heartbleed bug using the expert info
filter.
The capture consists of two sessions:
1. Client exploitation[1] of Heartbleed (using vulnerable OpenSSL):
./pacemaker.py -x2 -n 0xffed
curl -o /dev/null https://localhost:4433/
2. Normal, legit, encrypted heartbeats using:
openssl s_server
openssl s_client -connect 0:4433 -cipher AES128-SHA
Issue the "B" command to trigger heartbeats. The keys for this capture file
can be found below.
premaster.txt (join the three parts on a single space-separated line):
CLIENT_RANDOM
1262217b86f7155305c3045fa3f49b78e98e08df3bc01c8a4fa9c8bec9fb9918
c55e3c28faa0f5c9c19726d5ac1ae421a95deac89849ee398095c4d6c66e0ae5d3acc6e77406e9646e8208bfea21fad8
[1]: https://github.com/Lekensteyn/pacemaker
You are receiving this mail because:
- You are watching all bug changes.
