Nmap Development mailing list archives
nmap4.20RC2 SIGSEGV signal?
From: sgarcia <sgarcia () citefa gov ar>
Date: Tue, 5 Dec 2006 14:09:50 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi list,
I think i found an error un nmap4.20RC2, but i'm not sure what is happening. I
know that nmap4.20RC2 release is imminent, so I'm posting now before I can
analyse it deeply.
I have got a SIGSEGV signal under some conditions.
Problems:
1- Nmap got a SIGSEGV signal.
2- Nmap behaves differently when running several times with the same
parameters and the scanned hosts answers exactly the same packets.
SIGGEGV Problem
***************
Conditions:
- -----------
a- I have to scan at least this two hosts simultaneously: 192.168.200.29
(from now on 29) and 192.168.200.56 (from now on 56)
b- With three host 192.168.200.23, 192.168.200.29 and 192.168.200.56 it does
NOT happend.
c- With this combinations 23-56, 56-23, 23-29, 29-23 it does NOT happend.
Some nmap experiments:
Command: Does it crash?
'nmap -sS -F -n -v -A 192.168.200.56,29 -d2 --packet-trace' : Yes
'nmap -sS -F -n -v 192.168.200.56,29 -d2 --packet-trace' : No
'nmap -sS -p22,1 -n -v -A 192.168.200.56,29 -d2 --packet-trace' : Yes
(1,22 are ports used by OS detection)
'nmap -sS -p22,1 -n -v 192.168.200.56,29 -d2 --packet-trace' : No
'nmap -sS -p22,1 -A 192.168.200.56,29 -d2 --packet-trace' : Yes
'nmap -sS -p22,1 -n -v -O 192.168.200.56,29 -d2 --packet-trace' : Yes
'nmap -sV -p22,1 -n -v 192.168.200.56,29 -d2 --packet-trace' : No
'nmap -sS -p22,1 -n -v -O1 192.168.200.56,29 -d2 --packet-trace' : No
'nmap -sS -p22,1 -n -v -O2 192.168.200.56,29 -d2 --packet-trace' : Yes
'nmap -sS -p22,1 -n -v -O2 --osscan-limit
192.168.200.56,29 -d2 --packet-trace' : No (interesting)
'nmap -sS -p22,1 -n -v -O2 --osscan-guess
192.168.200.56,29 -d2 --packet-trace' : No (interesting)
'nmap -sS -p22,1 -n -v -O2 --max-os-tries 1
192.168.200.56,29 -d2 --packet-trace' : No (interesting)
'nmap -sS -p22,1 -n -v -O2 --max-os-tries 2
192.168.200.56,29 -d2 --packet-trace' : No (interesting)
'nmap -sS -p22,1 -n -v -O2 --max-os-tries 3
192.168.200.56,29 -d2 --packet-trace' : Yes (interesting!)
'nmap -sS -p22,1 -n -v -O2 --max-os-tries 4
192.168.200.56,29 -d2 --packet-trace' : No,Yes (interesting!)
'nmap -sS -p22,1 -n -v -O2 --max-os-tries 5
192.168.200.56,29 -d2 --packet-trace' : Yes (interesting)
'nmap -sS -p22,1 -n -v -O2 --max-os-tries 6
192.168.200.56,29 -d2 --packet-trace' : Yes (interesting)
'nmap -sS -p22,1 -n -v -O2 --max-os-tries 7
192.168.200.56,29 -d2 --packet-trace' : No,Yes (interesting)
- ---------> 'No,Yes' means that different executions of the same command
finished differently. Ones crashes and the other not.
I'm attaching both experiments
Where the problem is
- --------------------
GDB says the problem is at osscan2.cc:3349:
/* Send a seq probe to each host. */
while(unableToSend < OSI->numIncompleteHosts() && HOS->stats->sendOK()) {
hsi = OSI->nextIncompleteHost();
Here -> hss = hsi->hss;
gettimeofday(&now, NULL);
if (hss->numProbesToSend()>0 && HOS->hostSeqSendOK(hss, NULL)) {
HOS->sendNextProbe(hss);
expectReplies++;
unableToSend = 0;
} else {
unableToSend++;
}
It seems that hsi->hss points to nowhere (nowhere in another segment) at some
point of this execution. But I wasn't able to figure it out why.
I'm attaching GDB's output.
Problem of nmap sometimes crashing and sometimes not.
*****************************************************
I don't know why sometimes it does happen and sometimes it doesn't. What i see
is that both nmap executions are very different. I'm attaching both results.
System Information
******************
My system
- ---------
Debian Unstable Updated fully 4-12-2006.
192.168.200.29
- --------------
Openbsd 3.4, I have root access, so i'm sure.
192.168.200.56
- --------------
Microsoft Windows, I'm not sure.
nmap -sS -F -A -n -v 192.168.200.56
Starting Nmap 4.20RC2 ( http://insecure.org ) at 2006-12-05 09:05 ART
Initiating ARP Ping Scan at 09:05
Scanning 192.168.200.56 [1 port]
Completed ARP Ping Scan at 09:05, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:05
Scanning 192.168.200.56 [1256 ports]
Completed SYN Stealth Scan at 09:05, 0.52s elapsed (1256 total ports)
Initiating Service scan at 09:05
Warning: OS detection for 192.168.200.56 will be MUCH less reliable because
we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against 192.168.200.56
Retrying OS detection (try #2) against 192.168.200.56
Initiating gen1 OS Detection against 192.168.200.56 at 2.283s
Warning: OS detection will be MUCH less reliable because we did not find at
least 1 open and 1 closed TCP port
Host 192.168.200.56 appears to be up ... good.
All 1256 scanned ports on 192.168.200.56 are closed
MAC Address: 52:54:00:D9:64:AC (QEMU virtual NIC)
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows NT 4.0 SP 6a + hotfixes
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 6.643 seconds
Raw packets sent: 1281 (58.498KB) | Rcvd: 1281 (59.650KB)
Hope this can help
Please tell me if you need more information on conditons.
Sebastián García
- --
Ing. Sebastián García
SI6 - DINFO - CITEFA
San Juan B. de La Salle 4397
B1603ALO Villa Martelli - Pcia. Bs. As.
Tel: (54-11) 4709-8285
e-mail: sgarcia () citefa gov ar - www.citefa.gov.ar/si6/
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x4305E810
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFdafi/TXddkMF6BARAlmaAKDxycRqwDktahnJ+q5LjKD5eDLlvgCglcmS
fcJcACYTJmQcOnWwI2DWTYc=
=qdii
-----END PGP SIGNATURE-----
Attachment:
nmap-gdb-output.txt
Description:
Attachment:
segment-fault-test.crash
Description:
Attachment:
segment-fault-test.NOTcrashing
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- nmap4.20RC2 SIGSEGV signal? sgarcia (Dec 05)
- Re: nmap4.20RC2 SIGSEGV signal? Fyodor (Dec 05)
- Re: nmap4.20RC2 SIGSEGV signal? sgarcia (Dec 06)
- Re: nmap4.20RC2 SIGSEGV signal? Fyodor (Dec 05)