![[LWN Logo]](/images/lcorner.png)
![[Timeline]](/images/Included.png)
|
|
|
|
Date: Tue, 12 Dec 2000 08:47:22 +0000 From: Matthew Franz <mfranz@CISCO.COM> Subject: Re: format string in ssl dump To: BUGTRAQ@SECURITYFOCUS.COM > Subject: format string in ssl dump > > Sorry if this has already got posted. > > Seeweed found this in ssldump the other day. The follwoing text is from his > website (http://dropwire.dhs.org/~seeweed/): > > > SSLDUMP is a program witch is simallar to tcpdump, but also adds encryption > to its network debugging procedures..It captures traffic then decodes it to > stdout ... Overall it is a great program to use when finding out where > something went wrong or just to see what your buddy's encryption he has > choosen to use was > > Here is the bug I have found...(the Author has been notified..) > > 1) Run SSLDUMP (needs you to be root unless setuid) > > 2)Open Up Netscape Navigator it) > > 3) Type the following in Netscape Navigator: fixme:%s%s%s%s%s%s > > > 4) watch as ssldump with gather the traffic then segfault.. > > --c0ncept > I've seen this behavior with "normal" SSL traffic as well. I believe the author states up front on the website that the tool may have some problems. I've found SSLdump to be a lot more stable if you capture with tcpdump -w and analyze it non real-time. Eric Rescorla's book (SSL and TLS: Designing and Building Secure Secure Systems) is an excellent treatment of the topic, though.. The same caution applies to Ethereal (both to the GTK version and tethereal) which IMHO segfaults so frequently to make it nearly useless for real-time capture, particularly for looking at bogus packets. A variety of malformed DNS and ISAKMP packets easily crash it. Tcpdump is significantly more robust and probably the safest choice for traffic capture, especially if you're analyzing malformed packets. -mdf