WireSharkの中に、SSH関連のメッセージがmalformed packetというエラーメッセージ

[lee89tw14]

先日自分のraspiにアクセスする供にwiresharkを監視しましたが、一つ気になることがあります。

PuTTY、PowerShell、Tera Term、三つのターミナルエミュレーター使いますが、TeraTermのみエラーメッセージが出てきた。 一応、SSHへの暗号化通信には脆弱性に至ることないと思いますが、　#(実際に、通信内容がplain text化のわけでもない) そのmalformed packetとなる原因は、教えていただけますでしょうか。

念のため、pcapngをzipに圧縮して添付いたします。 パスワード入っていません。 問題malformed.zip

ご回答、よろしくお願いいたします。

[nmaya]

Hi,

Each client/server's proposal of algorithm are follows:

from capture file:

Server side
cipher: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MAC: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

PuTTY
cipher: aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,arcfour256,arcfour128
MAC: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com

OpenSSH (from Windows PowerShell)
cipher: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MAC: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

Tera Term (TTSSH)
cipher: aes256-gcm@openssh.com,camellia256-ctr,chacha20-poly1305@openssh.com,aes256-ctr,camellia256-cbc,aes256-cbc,camellia192-ctr,aes192-ctr,camellia192-cbc,aes192-cbc,aes128-gcm@openssh.com,camellia128-ctr,aes128-ctr,camellia128-cbc,aes128-cbc,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,cast128-ctr,cast128-cbc
MAC: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-ripemd160-etm@openssh.com,hmac-ripemd160@openssh.com,hmac-md5-etm@openssh.com,hmac-md5

Then, decided to follows:

PuTTY
cipher: aes256-ctr
MAC: hmac-sha2-256

OpenSSH
cipher: chacha20-poly1305@openssh.com
MAC: chacha20-poly1305@openssh.com includes authentication, other mac algorithm is not sprcified

Tera Term (TTSSH)
cipher: aes256-gcm@openssh.com
MAC: aes256-gcm@openssh.com includes authentication, other mac algorithm is not sprcified

When MAC algorithm is EtM, packet length part is not encrypted. cf, Source code of OpenSSH cf. Traffic analysis of Secure Shell (SSH) sha1 ETM – 40 bytes per keystroke Also AES-GCM, packet length part is not encrypted. cf. RFC5647 7.3. Treatment of the Packet Length Field

Wireshark reads the packet and detect packet length correctly. And I guess Wireshark try to analyze next packet as same as when not encrypted. But it is fail because it is encrypted. I did't read the source code of Wireshark, but it seems to Wireshark does not differentiate "plain text" and "only pakcet lenght is plain."

In three SSH client you tried, "packet length is plain" algorithm is selected only when Tera Term. This is why only Tera Term cause malformed packet. If you change PuTTY configuration, Connection-SSH-Cipher to AES-GCM, it will cause malformed packet.

Thank you for your pcapng file. Dump file was useful to analyze this matter.

Thanks,

[lee89tw14]

Thanks for your kindly and investigation. As your research, I can confirmed this issue when using AES-GCM on PuTTY.

So I can assume that this is caused by the feature of the AES-GCM algorithm, which Wireshark doesn't read and distinguish the EtM very well, and caused some prediction error?

Thanks again for your kindly helping.

[nmaya]

Hi,

Wireshark doesn't read and distinguish the EtM very well, and caused some prediction error?

I think so, but only when AES-GCM, not when EtM MAC algorithm. I confirmed that this issue doesn't occur when using aes256-cbc & hmac-sha2-512-etm@openssh.com.

Thanks,