Some Ja3 strings causing stackoverflow #51

rezoners · 2021-10-04T17:31:23Z

JA3 strings listed below causing panic.

769,49200-49196-49192-49188-49172-49162-165-163-161-159-107-106-105-104-57-56-55-54-136-135-134-133-49202-49198-49194-49190-49167-49157-157-61-53-132-49199-49195-49191-49187-49171-49161-164-162-160-158-103-64-63-62-51-50-49-48-154-153-152-151-69-68-67-66-49201-49197-49193-49189-49166-49156-156-60-47-150-65-7-49169-49159-49164-49154-5-4-49170-49160-22-19-16-13-49165-49155-10-255,0-11-10-35-13-15,23-25-28-27-24-26-22-14-13-11-12-9-10,0-1-2

769,52244-52243-52245-49195-49199-158-49162-49172-57-49161-49171-51-49159-49169-156-53-47-5-4-10-255,0-23-35-13-5-13172-18-16-30032-11-10,23-24-25,0

771,49200-49196-49192-49188-49172-49162-165-163-161-159-107-106-105-104-57-56-55-54-136-135-134-133-49202-49198-49194-49190-49167-49157-157-61-53-132-49199-49195-49191-49187-49171-49161-164-162-160-158-103-64-63-62-51-50-49-48-154-153-152-151-69-68-67-66-49201-49197-49193-49189-49166-49156-156-60-47-150-65-7-49169-49159-49164-49154-5-4-49170-49160-22-19-16-13-49165-49155-10-255,0-11-10-35-13-15,23-25-28-27-24-26-22-14-13-11-12-9-10,0-1-2

771,49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53-10,18-16-30032-11-10-65281-0-23-35-13-5,29-23-24,0

771,49200-49196-49202-49198-49199-49195-49201-49197-163-159-162-158-49192-49188-49172-49162-49194-49190-49167-49157-107-106-57-56-49191-49187-49171-49161-49193-49189-49166-49156-103-64-51-50-49170-49160-49165-49155-136-135-69-68-22-19-157-156-61-53-60-47-132-65-10-49169-49159-49164-49154-5-255,0-11-10-35-13-15,25-24-23,0-1-2

771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-21-41,29-23-24,0

771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-41,29-23-24,0

771,52244-52243-52245-49195-49199-158-49162-49172-57-49161-49171-51-49159-49169-156-53-47-5-4-10-255,0-23-35-13-5-13172-18-16-30032-11-10,23-24,0
771,52244-52243-52245-49195-49199-158-49162-49172-57-49161-49171-51-49159-49169-156-53-47-5-4-10-255,0-23-35-13-5-13172-18-16-30032-11-10,23-24,0

771,52393-52392-49195-49199-49196-49200-49171-49172-156-157-47-53-10,65281-0-23-35-13-5-18-16-30032-11-10-27,29-23-24,0

771,52244-52243-49195-49199-158-49162-49172-57-49161-49171-51-156-53-47-10,65281-0-23-35-13-5-13172-18-16-30032-11-10,23-24,0

771,52244-52243-52245-49172-49162-57-56-53-49170-49160-22-19-10-49199-49195-49171-49161-162-158-51-50-156-47-49169-49159-5-4-255,0-35-13-13172-30032-11-10,25-24-23,0

771,49200-49196-49202-49198-49199-49195-49201-49197-163-159-162-158-49192-49188-49172-49162-49194-49190-49167-49157-107-106-57-56-49191-49187-49171-49161-49193-49189-49166-49156-103-64-51-50-49170-49160-49165-49155-136-135-69-68-22-19-157-156-61-53-60-47-132-65-10-49169-49159-49164-49154-5-255,0-11-10-35-13-15-21,14-13-25-11-12-24-9-10-22-23-8-6-7-20-21-4-5-18-19-1-2-3-15-16-17,0-1-2

771,52244-52243-52245-49195-49199-158-49162-49172-57-49161-49171-51-156-53-47-10-255,0-23-35-13-5-13172-18-16-30032-11-10,23-24,0

runtime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0xc021b71460 stack=[0xc021b70000, 0xc041b70000]

Danny-Dasilva · 2021-10-06T11:53:26Z

This issue is caused by unsupported extensions.
All the above tokens contain one or a combination of
Extension 15
Extension 41
extension 30032

I added support for these extensions and fixed the stack overflow error
This means future unsupported tokens will return the below error instead of stack overflowing

Extension {{ extension number }} is not Supported by CycleTLS please raise an issue

Notes:

Extension 15 the heartbeat extension is mostly used for offensive attacks so most tls servers dont support it (e.g. I can see the outgoing extension in wireshark but ja3er wont return it)

Extension 41 (rcf 8446)[https://www.rfc-editor.org/rfc/rfc8446.html] denotes a preshared key. There's a few complications with correctly emulating this (mainly internal ja3 validation) but for now I am using
a generic extension

Extension 30032 is not an enforced extension and therefore is difficult to find information on. I am using a generic extension for this one as well, will research more into correct spoofing.

If you see anything else raise a stack overflow please open another issue

rezoners changed the title ~~Some Ja3 strings causeing stackoveflow~~ Some Ja3 strings causing stackoverflow Oct 5, 2021

Danny-Dasilva mentioned this issue Oct 6, 2021

Release: 🐞 Bugfix ja3 tokens and better error catching 0.0.14 #52

Merged

Danny-Dasilva added the 🐞 Bug Something isn't working label Oct 6, 2021

Danny-Dasilva closed this as completed Oct 6, 2021

Danny-Dasilva mentioned this issue Oct 21, 2021

Certain JA3 tokens appear to be failing #39

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Some Ja3 strings causing stackoverflow #51

Some Ja3 strings causing stackoverflow #51

rezoners commented Oct 4, 2021

Danny-Dasilva commented Oct 6, 2021

Some Ja3 strings causing stackoverflow #51

Some Ja3 strings causing stackoverflow #51

Comments

rezoners commented Oct 4, 2021

Danny-Dasilva commented Oct 6, 2021

Notes: