Re: bug in svn 17300

[David Fifield <david () bamsoftware com>]

On Wed, Apr 14, 2010 at 02:07:05PM -0500, Daniel Miller wrote:
> Not sure what's going on, but it seems consistent. Run as "sudo nmap -oA  
> nmap.7300.err -d --log-errors --script-trace --packet-trace -v -A -sU  
> 192.168.1.0/24". Error is "Unexpected error in NSE_TYPE_READ callback.   
> Error code: 71 (Protocol error)".
>
> Packet capture shows an ICMP error from the target, "IP header bad".
>
> I have attached the following:
>
> nmap.17300.err.output - last 200 or so lines of output
> nmap.17300.err.nmap - regular output file
> nmap.17300.err.xml - XML output
> nmap.17300.pcap - packet capture of the host and port  
> (192.168.1.20:5000) conversation

This is very interesting. It will be pretty easy to fix, because this is
just an error response that no one has seen or reported before. All we
need to do is add a handler for EPROTO in service_scan.cc.

I'm kind of curious to find out how this could happen. As you noted, a
type-12 ICMP error ("Parameter problem") is coming back in response to
the Sqlping version probe. It doesn't look like there's anything wrong
with the probe to me. My conjecture is that an active IPS or some other
mechanism is forging the ICMP error. There's a Snort rule that catches
the Sqlping probe: http://www.snort.org/search/sid/2049.

Try changing this line of nmap-service-probes:

Probe UDP Sqlping q|\x02|

to this:

Probe UDP Sqlping q|\x03|

And see if it still happens. This is just a test of my conjecture and
you should change it back afterwards.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/