Wireshark-dev: [Wireshark-dev] BER decoding does not recognize incorrect BER Identifiers, alway
From: Balazs Varga <balazsvarga@xxxxxxxxxxx>
Date: Fri, 12 Jun 2020 10:22:48 +0000
|
Dear Wireshark Developers!
I have come across the following issue when analyzing a Goose pcap. I wanted to reconstruct, which BER Identifiers would be allowed in certain positions using the (goose).asn file.
By following the x.690 encoding rules (BER) the only allowed flag for a Sequence_of would result in a constructed type.
Sequence shall be constructed type too, by definition.
Since the IECGoosePdu would be constructed type and so the chosen type for the goosePdu would be a constructed type, and application class with value 1, so=> 0x61
Wireshark does not check, if the the value should be primitive or constructed type, allowing by this incorrect values for the BER Identifiers.
The same issue occurs for the (BER) INTEGER type, which by definition should be primitive, but Wireshark allows it to be constructed.
I have added the pcap files:
is there a possibility that this check of the expected flag will be added to Wireshark?
Or if I misunderstood the BER_Identifier flag for constructed and primitive type I would really appreciate any feedback.
I have tested the pcaps on Ubuntu, Windows 7 and Windows 10:
Wireshark 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0)
Copyright 1998-2019 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.9.5, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with GLib 2.56.4, with zlib 1.2.11, with SMI 0.4.8, with c-ares
1.14.0, with Lua 5.2.4, with GnuTLS 3.5.18, with Gcrypt 1.8.1, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.30.0, with LZ4, with Snappy,
with libxml2 2.9.4, with QtMultimedia, with SBC, with SpanDSP, without bcg729.
Running on Linux 5.3.0-46-generic, with Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz
(with SSE4.2), with 5188 MB of physical memory, with locale en_US.UTF-8, with
libpcap version 1.8.1, with GnuTLS 3.5.18, with Gcrypt 1.8.1, with zlib 1.2.11,
binary plugins supported (0 loaded).
Built using gcc 7.4.0.
C:\Program Files\Wireshark>wireshark -v
Wireshark 3.2.3 (v3.2.3-0-gf39b50865a13)
Copyright 1998-2020 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0
.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.12.6, with WinPcap SDK (WpdPack) 4.1.2, with GLib
2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4,
with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic
updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled
resampler), with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM)
i5-6300U CPU @ 2.40GHz (with SSE4.2), with 8191 MB of physical memory, with
locale English_United States.1252, with Npcap version 0.9989, based on libpcap
version 1.9.1, with GnuTLS 3.6.3, with Gcrypt 1.8.3, with brotli 1.0.2, without
AirPcap, binary plugins supported (0 loaded).
Built using Microsoft Visual Studio 2019 (VC++ 14.24, build 28316).
C:\Program Files\Wireshark>wireshark -v
Wireshark 3.1.0 (v3.1.0-0-g414ca80b2168)
Copyright 1998-2019 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.12.4, with WinPcap SDK (WpdPack) 4.1.2, with GLib
2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4,
with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
with MaxMind DB resolver, with nghttp2 1.14.0, with brotli, with LZ4, with
Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap, with SpeexDSP
(using bundled resampler), with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Core(TM)
i5-6300U CPU @ 2.40GHz (with SSE4.2), with 16264 MB of physical memory, with
locale German_Germany.1252, with Npcap version 0.996, based on libpcap version
1.9.1-PRE-GIT, with GnuTLS 3.6.3, with Gcrypt 1.8.3, with brotli 1.0.2, without
AirPcap, binary plugins supported (0 loaded).
Best Regards
Balazs
|
Attachment:
Goose_choice_primitive.pcap
Description: Goose_choice_primitive.pcap
Attachment:
Goose_correct.pcap
Description: Goose_correct.pcap
Attachment:
Goose_sequence_of_primitive_2.pcap
Description: Goose_sequence_of_primitive_2.pcap
- Prev by Date: Re: [Wireshark-dev] Editor Permission Request
- Next by Date: [Wireshark-dev] ZigBee: APS frame not decrypted
- Previous by thread: [Wireshark-dev] Include LUA dissectors in installers?
- Next by thread: [Wireshark-dev] ZigBee: APS frame not decrypted
- Index(es):
- Get Wireshark
- Download
- Code of Conduct