Wireshark-bugs: [Wireshark-bugs] [Bug 13061] New: tcp.segment.overlap.conflict does not detect m
| Bug ID |
13061
|
| Summary |
tcp.segment.overlap.conflict does not detect man-on-the-side attacks
|
| Product |
Wireshark
|
| Version |
2.2.0
|
| Hardware |
All
|
| OS |
All
|
| Status |
UNCONFIRMED
|
| Severity |
Minor
|
| Priority |
Low
|
| Component |
Qt UI
|
| Assignee |
bugzilla-admin@wireshark.org
|
| Reporter |
erik.hjelmvik@gmail.com
|
Created attachment 15017 [details]
Example PCAP that contains overlapping TCP segments with different data.
Source: http://www.cs.technion.ac.il/~gnakibly/TCPInjections/samples.zip
Build Information:
Version 2.3.0-1222-g346bda4 (v2.3.0rc0-1222-g346bda4 from master)
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.6.1, with WinPcap (4_1_3), with GLib 2.42.0, with
zlib 1.2.8, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS
3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with nghttp2 1.14.0,
with LZ4, with Snappy, with QtMultimedia, with AirPcap.
Running on 64-bit Windows 10, build 14393, with Intel(R) Core(TM)
i7-2640M CPU @ 2.80GHz (with SSE4.2), with 8075 MB of physical memory, with
locale Swedish_Sweden.1252, without WinPcap, with GnuTLS 3.2.15, with Gcrypt
1.6.2, without AirPcap.
Built using Microsoft Visual C++ 12.0 build 40629
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
Wireshark has a feature aimed to detect overlapping segments with conflicting
data, but it does not seem to work properly. The display filter
"tcp.segment.overlap.conflict" should match reassembled frames where there was
overlapping segments with conflicting data (different data). This feature was
probably implemented to analyze buggy TCP stacks back in the days, but it would
actually be a perfect tool when analyzing TCP content injection attacks -- so
called man-on-the-side attacks.
I did a talk at SharkFest Europe 2016 called "Dissecting Man-on-the Side
Attacks: Analysis of Active TCP Packet Injection Attacks" where I analyzed PCAP
files with TCP injection attacks with Wireshark. The slides from my talk are
available here:
https://sharkfesteurope.wireshark.org/assets/presentations16eu/10.pdf
In my talk I used a python script called findject.py
[http://www.netresec.com/?page=findject] to find overlapping TCP segments with
conflicting data. However, it would be much better if these overlapping
segments could be detected with wireshark or tshark by just using the
"tcp.segment.overlap.conflict" filter.
Please see the attached file 145-reordered-filtered3.pcap
tshark -r 145-reordered-filtered3.pcap -T fields -e frame.number -e ip.src -e
tcp.seq -e tcp.nxtseq
1 0.0.0.0 1 943
2 113.6.227.240 1 1401
3 113.6.227.240 1 557
4 113.6.227.240 1401 1719
5 113.6.227.240 555 556
As can be seen in the tshark output above both frame 3 and 5 are overlapping
the segment from frame 2. The TCP payload is also different. However, the
filter tcp.segment.overlap.conflict does not match any frame in wirehsark or
tshark.
I have actually been able to get this filter to match on the overlap between
frame 5 and 2 by using the ancient Wireshark 1.6.16 (anno 2013?). The filter
matches is triggered on frame 4, probably because that is where the TCP
segments are getting reassembled.
Anyway, the intended behavior would be for wireshark/tshark to detect both the
overlap between frames 2 and 3 as well as 2 and 5. Both these overlaps have
different data so the tcp.segment.overlap.conflict should match these, right?
You are receiving this mail because:
- You are watching all bug changes.
