Wireshark-bugs: [Wireshark-bugs] [Bug 13191] Malformed Packet - SSL
Date: Fri, 02 Dec 2016 10:43:48 +0000

Comment # 2 on bug 13191 from
(In reply to Peter Wu from comment #1)
> The capture seems malformed.
> 
> Frame 11 + 12, reassembled:
> [Client Hello ...]
> [elliptic_curves extension ...]
> 00 00  Extension Type: Server Name Indication (0)
> 17 00  Extension Length: 5888 (!)
> 
> 
> Interpreting it in a slightly different way:
> [Client Hello ...]
> [elliptic_curves extension ...]
> 00 00  Extension Type: Server Name Indication (0)
> 17 00 15 00  (?? what is this garbage)
> 00 12  Length: 18
> 77 77 77 2e 73 61 6d 73 75 6e 67 6f 74 6e 2e 6e 65 74  www.samsungotn.net
> 00 0b  Extension Type: EC Point Formats
> 00 04  Length: 4
> 03 00 01 02
> 00 0a  Extension Type: supported_groups (renamed from elliptic_curves)
> 00 34  Length: 52
> 00 32 00 01 00 02 00 03 00 04 00 ...
> 
> This makes no sense, your MITM tool is broken, it is producing garbage that
> (rightfully) makes the server reset the connection.
> 
> Though for some weird reason, frame 199 does contain a Server Hello (in
> response to the malformed Client Hello in frame 198). Is this an attempt to
> exploit a vulnerability?

Very weird, my MITM tool only modifies the packet using scapy with
scapy_ssl_tls and python 2.7.11 and shouldn't be outputting any garbage. Any
idea what 17 00 15 00 might belong to? Seems weird to me but I'll try to check
it.

I am trying to actually exploit a vulnerability in the client - not the server,
but now that you mention that server hello it actually is pretty interesting -
although I don't think it might indicate a vulnerability (maybe a problem with
SSL implementation but it doesn't seem to lead anywhere).


You are receiving this mail because:
  • You are watching all bug changes.