Re: format string in ssl dump

[Matthew Franz <mfranz () CISCO COM>]

> Subject: format string in ssl dump
>
> Sorry if this has already got posted.
>
> Seeweed found this in ssldump the other day.  The follwoing text is from his
> website (http://dropwire.dhs.org/~seeweed/):
>
>
> SSLDUMP is a program witch is simallar to tcpdump, but also adds encryption
> to its network debugging procedures..It captures traffic then decodes it to
> stdout ... Overall it is a great program to use when finding out where
> something went wrong or just to see what your buddy's encryption he has
> choosen to use was
>
> Here is the bug I have found...(the Author has been notified..)
>
> 1) Run SSLDUMP (needs you to be root unless setuid)
>
> 2)Open Up Netscape Navigator it)
>
> 3) Type the following in Netscape Navigator: fixme:%s%s%s%s%s%s
>
>
> 4) watch as ssldump with gather the traffic then segfault..
>
> --c0ncept

I've seen this behavior with "normal" SSL traffic as well. I believe the
author states up front on the website that the tool may have some
problems.

I've found SSLdump to be a lot more stable if you capture with tcpdump -w
and analyze it non real-time. Eric Rescorla's book (SSL and TLS: Designing
and Building Secure Secure Systems) is an excellent treatment of the
topic, though..

The same caution applies to Ethereal (both to the GTK version and
tethereal) which IMHO segfaults so frequently to make it nearly useless
for real-time capture, particularly for looking at bogus packets.

A variety of malformed DNS and ISAKMP packets easily crash it. Tcpdump is
significantly more robust and probably the safest choice for traffic
capture, especially if you're analyzing malformed packets.

-mdf