Nmap Development mailing list archives

Nmap causes critical error on Novell Netware 6 SP5

From: Axel Pettinger <api () worldonline de>
Date: Sun, 05 Feb 2006 19:28:51 +0100

Hi,

Don't know whether there's something one of you can do to prevent the 
problem in future Nmap versions, nevertheless I'd like to report that 
the following Nmap command (on XPSP1) causes an "abnormal end" (abend) 
on a Novell Netware 6 SP5 server:

nmap -p514 -d9 -A -oN 514_2.txt <server-ip>

->
-----------------------------------------------------------------------
# Nmap 4.00 scan initiated Sun Feb 05 17:58:48 2006 as: nmap -p514 -d9 -A -oN 514_2.txt <server_ip> 
(...)
Completed OS Detection against <server_ip> at 43.032s (took 2.227s)
Interesting ports on <server name> (server_ip):
PORT    STATE SERVICE VERSION
514/tcp open  shell?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint 
at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port514-TCP:V=4.00%I=7%D=2/5%Time=43E62EDB%P=i686-pc-windows-windows%r(
SF:DNSVersionBindReq,1,"\0");
OS details: BlueCoat SG4, Cayman 2E DSL/CABLE router, IBM AIX v3.2.5 - 4, IBM AIX 4.02.0001.0000, IBM AIX 4.2, IBM AIX 
4.2-4.3.3, IBM AIX 4.3, IBM AIX 4.3.2.0-4.3.3.0 on an IBM RS/*, IBM AIX 4.3.3.0 on an IBM RS/*, IBM AIX v4.2, IBM AIX 
Version 4.3, Linux 1.3.20 (x86), Microsoft Windows 2003 Server, Microsoft Windows XP Home Edition (English) SP2, 
Netscreen 5XP firewall+vpn (os 4.0.3r2.0), OpenBSD 3.6 x86 with pf "scrub in all", Symantec Gateway Security 5310 
Firewall, ZyXel 944S Prestige router
OS Fingerprint:
TSeq(Class=TR%IPID=RPI%TS=U)
T1(Resp=N)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)

TCP Sequence Prediction: Class=truly random
                         Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Random positive increments

# Nmap run completed at Sun Feb 05 17:59:31 2006 -- 1 IP address (1 host up) scanned in 43.064 seconds
-----------------------------------------------------------------------


The "System Console" shows the message:
"2-05-2006   5:58:39 pm:    SERVER-5.60-4631   [nmID=1001C]
    WARNING! Server (...) experienced a critical error. The offending
    process was suspended or recovered. However, services hosted by this
    server may have been affected."

On the "Logger Screen" the following message appeared several times:
"TLI-4.30-0012:  an asynchronous event has occurred;
     RCMDSRV-4.21:  t_rcv: can't get stderr port"


Extract from the abend log:

*********************************************************

Server (...) halted Sunday, February 5, 2006   5:58:37.580 pm
Abend 1 on P00: Server-5.60.05: Page Fault Processor Exception (Error code 00000000)

Registers:
    CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010
    EAX = 00000000 EBX = 85386E40 ECX = 00000000 EDX = 826669E2
    ESI = 83817060 EDI = 8265ACD0 EBP = 85742960 ESP = 857423E0
    EIP = C8D10FB0 FLAGS = 00010286 
    C8D10FB0 0FB601         MOVZX   EAX,byte ptr [ECX]=?
    EIP in LIBC.NLM at code start +00082FB0h
    Access Location: 0x00000000

The violation occurred while processing the following instruction:
C8D10FB0 0FB601         MOVZX   EAX,byte ptr [ECX]
C8D10FB3 3C41           CMP     AL,41
C8D10FB5 0FB61A         MOVZX   EBX,byte ptr [EDX]
C8D10FB8 7206           JB      C8D10FC0
C8D10FBA 3C5A           CMP     AL,5A
C8D10FBC 7702           JA      C8D10FC0
C8D10FBE 0420           ADD     AL,20
C8D10FC0 80FB41         CMP     BL,41
C8D10FC3 7208           JB      C8D10FCD
C8D10FC5 80FB5A         CMP     BL,5A



Running process: rcmdsrv         6 Process
Thread Owned by NLM: RCMDSRV.NLM
Stack pointer: 85742240
OS Stack limit: 857369C0
Scheduling priority: 67371008
Wait state: 5050100  Delayed
Stack: --85386E40  ?
       (...)
Additional Information:
    The CPU encountered a problem executing code in LIBC.NLM.  The problem may be in that module or in data passed to 
that module by a process owned by RCMDSRV.NLM.

Loaded Modules: 
(...)
*********************************************************
RCMDSRV.NLM   v4.21       Mar.  1, 2002  rcmdsrv nlm
LIBC.NLM      v7.05       Jun. 23, 2004  Standard C Runtime Library for NLMs [optimized, 5]


Similar abends happened on several Netware production servers when we 
had penetration testers in the house a short time before christmas. We
never knew for sure but it's likely that they were the cause for the 
abends and the tool they used to scan the network was probably Nmap 
...

Regards,
Axel Pettinger


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev

Current thread:

Nmap causes critical error on Novell Netware 6 SP5 Axel Pettinger (Feb 05)
- <Possible follow-ups>
- RE: Nmap causes critical error on Novell Netware 6 SP5 Mike C (check) (Feb 05)
  - Re: Nmap causes critical error on Novell Netware 6 SP5 Matt Hargett (Feb 05)
    - Re: Nmap causes critical error on Novell Netware 6 SP5 Kurt Grutzmacher (Feb 06)
    - Re: Nmap causes critical error on Novell Netware 6 SP5 Axel Pettinger (Feb 08)