Nmap Development mailing list archives
nmap4.20RC2 SIGSEGV signal?
From: sgarcia <sgarcia () citefa gov ar>
Date: Tue, 5 Dec 2006 14:09:50 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, I think i found an error un nmap4.20RC2, but i'm not sure what is happening. I know that nmap4.20RC2 release is imminent, so I'm posting now before I can analyse it deeply. I have got a SIGSEGV signal under some conditions. Problems: 1- Nmap got a SIGSEGV signal. 2- Nmap behaves differently when running several times with the same parameters and the scanned hosts answers exactly the same packets. SIGGEGV Problem *************** Conditions: - ----------- a- I have to scan at least this two hosts simultaneously: 192.168.200.29 (from now on 29) and 192.168.200.56 (from now on 56) b- With three host 192.168.200.23, 192.168.200.29 and 192.168.200.56 it does NOT happend. c- With this combinations 23-56, 56-23, 23-29, 29-23 it does NOT happend. Some nmap experiments: Command: Does it crash? 'nmap -sS -F -n -v -A 192.168.200.56,29 -d2 --packet-trace' : Yes 'nmap -sS -F -n -v 192.168.200.56,29 -d2 --packet-trace' : No 'nmap -sS -p22,1 -n -v -A 192.168.200.56,29 -d2 --packet-trace' : Yes (1,22 are ports used by OS detection) 'nmap -sS -p22,1 -n -v 192.168.200.56,29 -d2 --packet-trace' : No 'nmap -sS -p22,1 -A 192.168.200.56,29 -d2 --packet-trace' : Yes 'nmap -sS -p22,1 -n -v -O 192.168.200.56,29 -d2 --packet-trace' : Yes 'nmap -sV -p22,1 -n -v 192.168.200.56,29 -d2 --packet-trace' : No 'nmap -sS -p22,1 -n -v -O1 192.168.200.56,29 -d2 --packet-trace' : No 'nmap -sS -p22,1 -n -v -O2 192.168.200.56,29 -d2 --packet-trace' : Yes 'nmap -sS -p22,1 -n -v -O2 --osscan-limit 192.168.200.56,29 -d2 --packet-trace' : No (interesting) 'nmap -sS -p22,1 -n -v -O2 --osscan-guess 192.168.200.56,29 -d2 --packet-trace' : No (interesting) 'nmap -sS -p22,1 -n -v -O2 --max-os-tries 1 192.168.200.56,29 -d2 --packet-trace' : No (interesting) 'nmap -sS -p22,1 -n -v -O2 --max-os-tries 2 192.168.200.56,29 -d2 --packet-trace' : No (interesting) 'nmap -sS -p22,1 -n -v -O2 --max-os-tries 3 192.168.200.56,29 -d2 --packet-trace' : Yes (interesting!) 'nmap -sS -p22,1 -n -v -O2 --max-os-tries 4 192.168.200.56,29 -d2 --packet-trace' : No,Yes (interesting!) 'nmap -sS -p22,1 -n -v -O2 --max-os-tries 5 192.168.200.56,29 -d2 --packet-trace' : Yes (interesting) 'nmap -sS -p22,1 -n -v -O2 --max-os-tries 6 192.168.200.56,29 -d2 --packet-trace' : Yes (interesting) 'nmap -sS -p22,1 -n -v -O2 --max-os-tries 7 192.168.200.56,29 -d2 --packet-trace' : No,Yes (interesting) - ---------> 'No,Yes' means that different executions of the same command finished differently. Ones crashes and the other not. I'm attaching both experiments Where the problem is - -------------------- GDB says the problem is at osscan2.cc:3349: /* Send a seq probe to each host. */ while(unableToSend < OSI->numIncompleteHosts() && HOS->stats->sendOK()) { hsi = OSI->nextIncompleteHost(); Here -> hss = hsi->hss; gettimeofday(&now, NULL); if (hss->numProbesToSend()>0 && HOS->hostSeqSendOK(hss, NULL)) { HOS->sendNextProbe(hss); expectReplies++; unableToSend = 0; } else { unableToSend++; } It seems that hsi->hss points to nowhere (nowhere in another segment) at some point of this execution. But I wasn't able to figure it out why. I'm attaching GDB's output. Problem of nmap sometimes crashing and sometimes not. ***************************************************** I don't know why sometimes it does happen and sometimes it doesn't. What i see is that both nmap executions are very different. I'm attaching both results. System Information ****************** My system - --------- Debian Unstable Updated fully 4-12-2006. 192.168.200.29 - -------------- Openbsd 3.4, I have root access, so i'm sure. 192.168.200.56 - -------------- Microsoft Windows, I'm not sure. nmap -sS -F -A -n -v 192.168.200.56 Starting Nmap 4.20RC2 ( http://insecure.org ) at 2006-12-05 09:05 ART Initiating ARP Ping Scan at 09:05 Scanning 192.168.200.56 [1 port] Completed ARP Ping Scan at 09:05, 0.01s elapsed (1 total hosts) Initiating SYN Stealth Scan at 09:05 Scanning 192.168.200.56 [1256 ports] Completed SYN Stealth Scan at 09:05, 0.52s elapsed (1256 total ports) Initiating Service scan at 09:05 Warning: OS detection for 192.168.200.56 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Initiating OS detection (try #1) against 192.168.200.56 Retrying OS detection (try #2) against 192.168.200.56 Initiating gen1 OS Detection against 192.168.200.56 at 2.283s Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Host 192.168.200.56 appears to be up ... good. All 1256 scanned ports on 192.168.200.56 are closed MAC Address: 52:54:00:D9:64:AC (QEMU virtual NIC) Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows NT 4.0 SP 6a + hotfixes Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 6.643 seconds Raw packets sent: 1281 (58.498KB) | Rcvd: 1281 (59.650KB) Hope this can help Please tell me if you need more information on conditons. Sebastián García - -- Ing. Sebastián García SI6 - DINFO - CITEFA San Juan B. de La Salle 4397 B1603ALO Villa Martelli - Pcia. Bs. As. Tel: (54-11) 4709-8285 e-mail: sgarcia () citefa gov ar - www.citefa.gov.ar/si6/ http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x4305E810 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFdafi/TXddkMF6BARAlmaAKDxycRqwDktahnJ+q5LjKD5eDLlvgCglcmS fcJcACYTJmQcOnWwI2DWTYc= =qdii -----END PGP SIGNATURE-----
Attachment:
nmap-gdb-output.txt
Description:
Attachment:
segment-fault-test.crash
Description:
Attachment:
segment-fault-test.NOTcrashing
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- nmap4.20RC2 SIGSEGV signal? sgarcia (Dec 05)
- Re: nmap4.20RC2 SIGSEGV signal? Fyodor (Dec 05)
- Re: nmap4.20RC2 SIGSEGV signal? sgarcia (Dec 06)
- Re: nmap4.20RC2 SIGSEGV signal? Fyodor (Dec 05)