Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: DCERPC packets to Rythmbox Radio

  1. #1
    Join Date
    Apr 2011
    Beans
    207
    Distro
    Ubuntu 10.04 Lucid Lynx

    DCERPC packets to Rythmbox Radio

    I was listening to an online radio station last night using Rhythmbox. I had wireshark running analysing all packets on eth0. I was messing around with the expert info feature in wireshark and noticed 5 warnings ( alerts ) to do with DCERPC packets taking place.

    I'm not sure if this is normal or not. The packets came from the radio staion IP address directed to my computer IP address. There were also a handfull of malformed packets coming from the same radio station IP.

    The vast majority of the other traffic from the radio station was normal but the DCERPC packets got me worried. Anyone got any enlightenment on this?
    Last edited by SparTacux; May 18th, 2012 at 09:37 AM.
    You can take my trousers but you won't take my Freedom !

  2. #2
    Join Date
    Sep 2011
    Beans
    1,531

    Re: DCERPC packets to Rythmbox Radio

    No enlightenment coming from me, but I'm intrigued. What did Wireshark say- were they TCP packets? The wireshark wiki says those packets can use TCP, UDP, SMB, and SMB2, another source says it can use even more protocols.

  3. #3
    Join Date
    Apr 2011
    Beans
    207
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: DCERPC packets to Rythmbox Radio

    I was listening to Absolute Classic Rock which is one of Ubuntu's default radio stations that is already set up. IP address 85.159.184.226 using TCP port 80. I let the computer play by itself for about 2 hours and then analised the packets captured by wireshark. Wireshark reported that the DCERPC protocol had been used on some of the packets.

    Unfortunately, I was unable to save the capture as my computer started thrashing big style when I prompted wireshark to rearrange the packets by protocol. I had a few other applications running at the same time and did an internet search on DCERPC and the whole system went t*ts up.

    What I do remember is that the packet sizes were in order of around 1400 to 1700 bytes. CTX was displayed on wiresharks info window.
    You can take my trousers but you won't take my Freedom !

  4. #4
    Join Date
    Apr 2011
    Beans
    207
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: DCERPC packets to Rythmbox Radio

    I've not had much in the way of a response to this question.

    I did a bit of homework and it appears wireshark has had vulnerability issues with DCERPC packets. It looks like an exploit could use wiresharks sudo access level to compromise your system if running wireshark in sudo.

    This is an interesting scenario. Anyone? Man in the middle attack injecting code into data stream or genuine error or something else?
    You can take my trousers but you won't take my Freedom !

  5. #5
    Join Date
    Mar 2011
    Beans
    673

    Re: DCERPC packets to Rythmbox Radio

    If you're worried... profile wireshark and rythmbox with apparmor.

    I honestly have no idea why you would be seeing those packets but, then again, I really wouldn't know.

    Always best to be safe. A rythmbox profile will not take long to setup, wireshark may be longer.

  6. #6
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: DCERPC packets to Rythmbox Radio

    Quote Originally Posted by SparTacux View Post
    I've not had much in the way of a response to this question.

    I did a bit of homework and it appears wireshark has had vulnerability issues with DCERPC packets. It looks like an exploit could use wiresharks sudo access level to compromise your system if running wireshark in sudo.

    This is an interesting scenario. Anyone? Man in the middle attack injecting code into data stream or genuine error or something else?
    post or pastebin an example packet.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  7. #7
    Join Date
    Sep 2011
    Beans
    1,531

    Re: DCERPC packets to Rythmbox Radio

    Did you find these?

    http://www.wireshark.org/security/wnpa-sec-2009-07.html
    http://www.wireshark.org/security/wnpa-sec-2009-08.html

    Look at your version of wireshark, those are both pretty old vulnerabilities. But it sounds similar to what happened with the little info you posted.

    This lists those same 2 vulnerabilities plus one that is a bit newer:
    http://www.exploitsearch.net/index.php?q=XFDB%2054017
    Last edited by Ms. Daisy; May 19th, 2012 at 01:06 AM.

  8. #8
    Join Date
    Apr 2011
    Beans
    207
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: DCERPC packets to Rythmbox Radio

    Quote Originally Posted by bodhi.zazen View Post
    post or pastebin an example packet.
    I'd love to.

    Unfortunately, as I mentioned in my third post on this thread, I was unable to save the capture. Wireshark stopped responding when I tried to rearrange the packets by protocol type and group the packets together. Unless wireshark has some sort of temp storage somewhere then I'm not going to be able to retrieve that data. I wish I'd taken a screen shot just to confirm what I saw.

    Those DCERPC packets were all located towards the end of the rhythmbox session. The other malformed packets that were identified were scattered throughout the 2 hour period I was listening to Rhythmbox. I did go through the data looking for recognizable text and did see the word OGG in the packet data on those suspect packets.

    I'm not sure if it's possible the packets got corrupted and wireshark misread them as DCERPC packets.

    Assuming ( rightly or wrongly ) packets can be intercepted and modified on the fly in transit - who's capable of doing this sort of thing?
    Last edited by SparTacux; May 19th, 2012 at 02:08 PM.
    You can take my trousers but you won't take my Freedom !

  9. #9
    Join Date
    Apr 2011
    Beans
    207
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: DCERPC packets to Rythmbox Radio

    Quote Originally Posted by Ms. Daisy View Post
    Did you find these?

    http://www.wireshark.org/security/wnpa-sec-2009-07.html
    http://www.wireshark.org/security/wnpa-sec-2009-08.html

    Look at your version of wireshark, those are both pretty old vulnerabilities. But it sounds similar to what happened with the little info you posted.

    This lists those same 2 vulnerabilities plus one that is a bit newer:
    http://www.exploitsearch.net/index.php?q=XFDB%2054017
    I saw similar notes.

    It seems like many an application can be compromised by malformed packets or corrupted data being supplied as input to those apps. Looks like I'd better use apparmor for wireshark too

    Wireshark version 1.2.7 being used with libcap version 1.0.0 for those who are interested.
    Last edited by SparTacux; May 19th, 2012 at 02:24 PM.
    You can take my trousers but you won't take my Freedom !

  10. #10
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: DCERPC packets to Rythmbox Radio

    It might be easier to get a handle on things if you can try to reproduce the issue by accessing the station again while running Wireshark, but over a shorter period of time. My general feeling is that this is most likely perfectly normal, but it's hard to say without the captures.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •