Nmap Announce mailing list archives
Re: nmap..... via web
From: Fyodor <fyodor () dhp com>
Date: Fri, 19 Feb 1999 16:57:02 -0500 (EST)
On Fri, 19 Feb 1999, Lamont Granquist wrote:
allow thing which you know you trust through, don't try to guess and list all the bad things. don't try to be overly flexible (e.g. don't allow whitespace in the middle of the address).
Yeah, so many people screw this up that CERT put out an advisory and tech_tip on removing meta-chars from user-supplied data (see ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters ). The hilarious part was that their own examples of secure CGI programming had security problems (they have fixed them at the URL above).
also you probably should hack nmap so that it runs suid root and drops privs immediately after opening up a raw socket and a pcap file descriptor.
This would be a non-trivial task. Nmap uses a lot of raw sockets (some of different types) and a lot of pcap descriptors (with different filters).
in any application like this you have to assume that someone will scan their own machine which they have hacked so that it returns packets in response to nmap queries which will overflow nmap buffers and give you root if that code is running as root.
This should not be possible. If you know of such a problem, let me know.
nmap wasn't designed to be run privleged, and hasn't been audited, you should assume that if you let nmap be run by users that don't otherwise have root on your machine that there are exploitable holes in nmap that will let them gain root on your machine.
I completely agree. You don't only have to worry about exploitable holes, there are exploitable features (like -o ) which will allow people to trivially gain root if nmap is made suid. I don't worry about this much. Nmap (when given the right arguments) is capable of flooding networks, crashing remote machines, SYN flooding entire networks of boxes, spoofing the source address of IP packets, stealth port scanning large networks, and trolling for broadcast smurf addresses. Thus you must have a high degree of trust in the users you allow to run nmap anyway. If you run nmap from a CGI, you should be very very careful about what arguments you allow. Cheers, Fyodor -- Fyodor 'finger pgp () www insecure org | pgp -fka' Frustrated by firewalls? Try nmap: http://www.insecure.org/nmap/ In a free and open marketplace, it would be surprising to have such an obviously flawed standard generate much enthusiasm outside of the criminal community. --Mitch Stone on Microsoft ActiveX
Current thread:
- install fails. Jeffrey Roberson (Volt Computer) (Feb 18)
- nmap..... via web Erik Parker (Feb 18)
- Re: nmap..... via web MadHat (Feb 18)
- Re: nmap..... via web Andrew Brown (Feb 18)
- Re: nmap..... via web ajax (Feb 18)
- Re: nmap..... via web Fyodor (Feb 19)
- Re: nmap..... via web ajax (Feb 19)
- Re: nmap..... via web David G. Andersen (Feb 19)
- Re: nmap..... via web Lamont Granquist (Feb 19)
- Re: nmap..... via web Fyodor (Feb 19)
- Re: nmap..... via web Lars Marowsky-Bree (Feb 19)
- Re: nmap..... via web ajax (Feb 19)
- Re: nmap..... via web MadHat (Feb 18)
- Re: nmap..... via web Simple Nomad (Feb 19)
- nmap..... via web Erik Parker (Feb 18)
- Re: nmap..... via web HD Moore (Feb 19)
- Re: nmap..... via web ajax (Feb 18)