Nmap Development mailing list archives
[NSE patch] patch for print_debug calls in scripts without proper formatstring
From: Sven Klemm <sven () c3d2 de>
Date: Mon, 25 Aug 2008 09:58:11 +0200
Hi,the stdnse.print_debug() function unlike the normal lua print() function expects a format specifier similar to string.format(). There are a few scripts which pass non-static data directly to print_debug leading to "format string vulnerabilities". When lua encounters any % with unknown conversion specifier or any conversion specifier with unmatched argument given to the print_debug() call script execution will stop.
The attached patch fixes the affected scripts. Cheers, Sven -- Sven Klemm http://cthulhu.c3d2.de/~sven/
Index: scripts/SQLInject.nse =================================================================== --- scripts/SQLInject.nse (revision 9714) +++ scripts/SQLInject.nse (working copy) @@ -240,8 +240,7 @@ end if #injectable > 0 then - stdnse.print_debug(1, id .. ": Testing " .. #injectable .. - " suspicious URLs") + stdnse.print_debug(1, "%s: Testing %d suspicious URLs", id, #injectable ) end -- test all potentially vulnerable queries Index: scripts/bruteTelnet.nse =================================================================== --- scripts/bruteTelnet.nse (revision 9714) +++ scripts/bruteTelnet.nse (working copy) @@ -65,8 +65,7 @@ end i = i + 1 - stdnse.print_debug(3, id .. " " .. - userpass[i-1][1] .. ":" .. escape_cred(userpass[i-1][2])) + stdnse.print_debug(3, "%s %s:%s", id, userpass[i-1][1], escape_cred(userpass[i-1][2])) return userpass[i-1][1], userpass[i-1][2] end end Index: scripts/showHTMLTitle.nse =================================================================== --- scripts/showHTMLTitle.nse (revision 9714) +++ scripts/showHTMLTitle.nse (working copy) @@ -37,7 +37,7 @@ if data.status == 301 or data.status == 302 then local url = url.parse( data.header.location ) if url.host == host.targetname or url.host == ( host.name ~= '' and host.name ) or url.host == host.ip then - stdnse.print_debug("showHTMLTitle.nse: Default page is located at " .. url.scheme.. "://" .. url.authority .. url.path) + stdnse.print_debug("showHTMLTitle.nse: Default page is located at %s://%s%s", url.scheme, url.authority, url.path) data = http.get( host, port, url.path ) end end Index: scripts/SMTPcommands.nse =================================================================== --- scripts/SMTPcommands.nse (revision 9714) +++ scripts/SMTPcommands.nse (working copy) @@ -80,7 +80,7 @@ resultEHLO = try(socket:receive_lines(1)) if not (string.match(resultEHLO, "^250")) then --- stdnse.print_debug("1",resultEHLO) +-- stdnse.print_debug("1","%s",resultEHLO) -- stdnse.print_debug("1","EHLO with errors or timeout. Enable --script-trace to see what is happening.") resultEHLO = "" end @@ -100,7 +100,7 @@ resultHELP = try(socket:receive_lines(1)) if not (string.match(resultHELP, "^214")) then --- stdnse.print_debug("1",resultHELP) +-- stdnse.print_debug("1","%s",resultHELP) -- stdnse.print_debug("1","HELP with errors or timeout. Enable --script-trace to see what is happening.") resultHELP = "" end
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE patch] patch for print_debug calls in scripts without proper formatstring Sven Klemm (Aug 25)