Nmap Development mailing list archives
Re: Nmap security audit
From: Solar Designer <solar () openwall com>
Date: Sat, 18 Jul 2009 19:53:43 +0400
On Sat, Jul 18, 2009 at 11:24:47AM -0400, Michael Pattrick wrote:
In ncat --chat no control characters are printed: ncatbroker.c(494): if (isprint(*p) || *p == '\r' || *p == '\n' || *p == '\t') {
Great! The above is still a bit risky, though: 1. It is affected by the issue I mentioned in the "Nmap uses ctype macros improperly" posting earlier today. "p" is declared as follows: const char *p; so it is typically signed. When there's no workaround in libc, isprint() may return non-zero for 8-bit chars, including in the 8-bit controls range (0x80 through 0x9f, of which the worst is CSI at 0x9b). Also, it may result in undefined behavior, including returning non-zero on some or all chars, with that "Alpha issue" I mentioned. 2. This trusts the locale. While this makes sense, you need to realize that the locale may be based on one's preferences (language, etc.), not the terminal they use at the moment. Unfortunately, there exist 8-bit character encodings that treat the 8-bit terminal controls range as printable. There's no perfect way to deal with this problem - it's a tradeoff. What's worse, there also exist buggy locales that declare the 8-bit controls as printable even for character encodings not requiring that (I found some of these in glibc some years ago, we're mass-patching them in Owl... sorry, I never bothered to report upstream, my fault). BTW, right now Ncat does not appear to initialize the locale (at least my quick grep did not find that), so this should be the C locale, which should hopefully be safe (but this means that the chat won't work for any 8-bit chars, including safe ones, as long as the C locale is correctly defined).
But as far as I can tell this doesn't apply to any other mode, perhaps ncat should support a 'text only' option, where only printable characters and periods are printed.
Yes, maybe. Also, the risk may need to be documented. Thanks, Alexander _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap security audit Solar Designer (Jul 18)
- Re: Nmap security audit Michael Pattrick (Jul 18)
- Re: Nmap security audit Solar Designer (Jul 18)
- Re: Nmap security audit Michael Pattrick (Jul 18)