FW: NMap crash with -sU

["Orgle" <orgle () charter net>]

-----Original Message-----
From: Orgle [mailto:orgle () charter net] 
Sent: Friday, May 04, 2007 10:59 PM
To: 'Gianluca Varenni'
Subject: RE: NMap crash with -sU

Hi:

        I completely uninstalled ZoneAlarm (not just shut it down). Ran the
scan with the Intel NIC (onboard NIC), and it crashed again. 

        After reinstalling ZoneAlarm, in the general tab, it's got Network
Monitor Driver in there, along with TCP/IP, QoS, Client for Microsoft
networks, & file & print sharing. So, the Zone Alarm binding must be hidden.
Tried it again, and with the Intel NIC, it crashed, with the 3Com running
(and with ZoneAlarm running) the scan went through. 

John

-----Original Message-----
From: Gianluca Varenni [mailto:gianluca.varenni () gmail com] 
Sent: Friday, May 04, 2007 7:34 PM
To: Orgle
Subject: Re: NMap crash with -sU

The only way to disable it is to unbind the zonealarm IM driver from that 
card. Disabling it at boot or disabling the service won't probably help, as 
the IM driver is still there in the protocol stack.

If they don't hide their IM driver, you can unbind the zonealarm from a 
specific adapter by opening the properties of a network adapter, in the 
"general" tab there's a list of what's bound to your adapter. You should 
have an item with a name like "Zone labs bla bla bla" or similar. Just 
uncheck that item.

Hope it helps
GV

----- Original Message ----- 
From: "Orgle" <orgle () charter net>
To: "'Gianluca Varenni'" <gianluca.varenni () gmail com>
Sent: Friday, May 04, 2007 5:18 PM
Subject: RE: NMap crash with -sU


> I will take the Zonealarm out of the startup, and disable the service, and
> see if it changes things.
>
> John
>
> -----Original Message-----
> From: Gianluca Varenni [mailto:gianluca.varenni () gmail com]
> Sent: Friday, May 04, 2007 5:24 PM
> To: Orgle
> Subject: Re: NMap crash with -sU
>
> A quick look at both the minidumps shows two drivers involved in the 
> crash,
> the intel miniport driver and the zonelabs/zonealarm one (which is 
> *always*
> there, even if you disable it).
>
> I dont want to say that the intel drivers are perfect, but i would also
> suspect a problem with the zonelabs one. It won't be the first time I see
> random crashes due to bugs in the drivers used by these personal 
> firewalls.
> As much as it can also be some remote bug in WinPcap corrupting the memory
> and causing a later crash (although I frankly doubt so).
>
> Ciao
> GV
>
>
> ----- Original Message ----- 
> From: "Orgle" <orgle () charter net>
> To: "'Gianluca Varenni'" <gianluca.varenni () gmail com>
> Sent: Friday, May 04, 2007 2:26 PM
> Subject: RE: NMap crash with -sU
>
>
> > Here's a minidump from today -
> >
> > Thanks,
> >
> > John
> >
> > -----Original Message-----
> > From: Gianluca Varenni [mailto:gianluca.varenni () gmail com]
> > Sent: Friday, May 04, 2007 4:15 PM
> > To: Orgle; 'Brandon Enright'
> > Cc: nmap-dev () insecure org
> > Subject: Re: NMap crash with -sU
> >
> > John,
> >
> > do you have a crash dump/minidump for the Intel card?
> >
> > I would be interested to just have a look at it and make sure it's not a
> > WinPcap issue.
> >
> > Have a nice day
> > Gianluca Varenni
> > WinPcap Team
> >
> >
> > ----- Original Message ----- 
> > From: "Orgle" <orgle () charter net>
> > To: "'Brandon Enright'" <bmenrigh () ucsd edu>
> > Cc: <nmap-dev () insecure org>
> > Sent: Friday, May 04, 2007 6:25 AM
> > Subject: RE: NMap crash with -sU
> >
> >
> > > Thanks Brandon.
> > >
> > > Turned off automatic reboot, got the BSOD, and the file with the problem
> > > was
> > > e1e5132.sys, which is part of the Intel Pro/1000 PM software. Went to
> > > Intel's site, downloaded latest software for it (after having to look 
> > > all
> > > over the place), loaded, and retested - same BSOD, with same .sys file.
> > > Driver for the card was 9.3.28.0, and after loading Intel's latest
> > > software
> > > is 9.7.34.
> > >
> > > I've got a 3Com 3C905 NIC also installed in the system. Disabled the
> > > Intel
> > > card, enabled the 3Com, gave it the same IP, ran the scan with no
> > > problems -
> > > even with ZoneAlarm and everything else running.
> > >
> > > So, problem looks to be with the Intel NIC card. Good old 3Com - their
> > > cards
> > > always seem to work ;-)
> > >
> > > John
> > > -----Original Message-----
> > > From: Brandon Enright [mailto:bmenrigh () ucsd edu]
> > > Sent: Friday, May 04, 2007 1:22 AM
> > > To: Orgle
> > > Cc: nmap-dev () insecure org; bmenrigh () ucsd edu
> > > Subject: Re: NMap crash with -sU
> > >
> > > On Thu, 3 May 2007 21:46:09 -0500 plus or minus some time "Orgle"
> > > <orgle () charter net> wrote:
> > >
> > > > Running NMap 4.20 on a XP SP2 box, with all the latest Microsoft 
> > > > patches
> > > > installed - on a new Gateway desktop PC (business class machine)
> > > >
> > > >             When I run a nmap -vv -sU -P0 68.188.xxx.xxx   the command
> > > > starts to run, then my PC crashes - reboots, no BSOD. After reboot, get
> > > > a
> > > > Windows has recovered from a serious error, and back from Microsoft get
> > > > the following response on the trouble. Have run some other queries
> > > > without a problem, just (so far) had the crash when using the -sU
> > > > option.
> > > > Use ZoneAlarm PC firewall software also (turned ZoneAlarm off, same
> > > > problem.)
> > >
> > > According to the Microsoft page you were receiving a stop error (BSOD).
> > > It
> > > probably just blinked by so fast your screen never drew it.
> > >
> > > Go ahead and disable the automatic reboot on error so that you can read
> > > the
> > > BSOD.  Instructions are available at
> > >
> > > http://pcsupport.about.com/od/tipstricks/ht/disautorestart.htm
> > >
> > > Next time you get the BSOD record the stop error, and if provided, the
> > > sys
> > > file listed at the bottom that the error occurred in.
> > >
> > > Also, if you haven't do so already, install WinPCAP 4.0.
> > >
> > > This error could be anything from a bug in Nmap to a bug in WinPCAP,
> > > Windows, your NIC's Driver, ZoneAlarm or some odd interaction of various
> > > bugs between all five.
> > >
> > > >             PC is 4 months old with 3G of memory, and is a Duo2
> > > > processor,
> > > > so lots of horsepower. Any ideas or have you seen this one before? The
> > > > Ethernet port is on-board the motherboard, and is an Intel Pro/1000 PM
> > > > Ethernet chip setup. Downloaded a BIOS update, same problem. No NIC
> > > > driver
> > > > updates seem available.
> > > >
> > > >             The error URL is
http://wer.microsoft.com/responses/Response.aspx/10/en-us/5.1.2600.2.0001010
> > > > 0.2.0?SGD=47fcb265-c480-4f8e-852e-a2b6bf373430
> > > >
> > > > Thanks,
> > > >
> > > > John
> > >
> > > If the BSOD tells you what sys file caused the error it should be fairly
> > > easy to track down.  If it doesn't, I'd start with uninstalling 
> > > ZoneAlarm
> > > (turning it off doesn't unload the driver, it simply makes it try to
> > > ignore
> > > traffic).  It should be possible to figure out where the error is
> > > occurring
> > > bu it may be trial and error to do so.
> > >
> > > Brandon
> > >
> > >
> > >
> > > _______________________________________________
> > > Sent through the nmap-dev mailing list
> > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org