Nmap Development mailing list archives

Re: [NSE] rpc library; errors during nfsd startup

From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 25 Apr 2010 20:54:07 +0200

Hi Djalal,

Thanks for the patch, it looked good and I've commited it as r17391.

I would appreciate if someone could try to run the scripts rpcinfo,nfs-* (eg. --script rpcinfo,nfs-*) against a Mac OS 
X server.
I've done so against a 10.6.3 OS X server running in VMWare Fusion but I'm experiencing some problems.
When the scripts are run in parallel (per default) they almost always return with various errors.
Looking at packet captures reveals that the server detects Incorrect TCP checksums and resets the connection.

I'm not seeing this at all running against my other test platforms (mostly Linux) and I would like to make sure this 
error is specific to the OS X virtual test environment.

//Patrik

On 23 apr 2010, at 19.37, Djalal Harouni wrote:

Hi David,

This is another patch to add more RPC error stats/messages and to add more
debug output, this is against Patrik's last patches r17374.

thx.

On 2010-04-21 19:17:47 -0600, David Fifield wrote:

This is related to your patch, Djalal, but it affects the current code
and your patched code so I'm replying here.

I get errors if I run the nfs and rpc scripts quickly after restarting
nfsd on the remote. This is what I see with the current code if I run
the scan up to about 3 seconds after restarting nfsd.

PORT    STATE SERVICE REASON
111/tcp open  rpcbind syn-ack
| rpcinfo:
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100021  0,1,3,4      877/udp  nlockmgr
|   100021  0,1,3,4     1022/tcp  nlockmgr
|   100024  1            905/udp  status
|_  100024  1           1021/tcp  status
| nfs-acls:
|_  Failed to list mount points
| nfs-dirlist:
|_  Failed to list mount points
| nfs-showmount:
|_  Failed to list mount points
| nfs-statfs:
|_  Failed to list mount points

Compare this to the output if I run later:

PORT    STATE SERVICE REASON
111/tcp open  rpcbind syn-ack
| rpcinfo:
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,3          821/udp  mountd
|   100005  1,3         1009/tcp  mountd
|   100011  1,2          658/udp  rquotad
|   100021  0,1,3,4      877/udp  nlockmgr
|   100021  0,1,3,4     1022/tcp  nlockmgr
|   100024  1            905/udp  status
|_  100024  1           1021/tcp  status
| nfs-showmount:
|_  /Users/david 192.168.0.0
| nfs-statfs:
|   /Users/david
|_    ERROR: Mount failed
| nfs-acls:
|   /Users/david
|_    ERROR: Mount failed
| nfs-dirlist:
|   /Users/david
|_    ERROR: Mount failed

The change is even more obvious with the patched library. If I scan
within 3 seconds of restarting nfsd I get lots of errors.

NSE: 'nfs-dirlist' (thread: 0xa00ff70) against 192.168.0.190:111 threw an error!
./nselib/rpc.lua:1280: bad argument #2 to 'format' (string expected, got nil)
stack traceback:
       [C]: in function 'format'
       ./nselib/rpc.lua:1280: in function 'ShowMounts'
       ./scripts/nfs-dirlist.nse:47: in function <./scripts/nfs-dirlist.nse:40>
       (tail call): ?

NSE: 'nfs-statfs' (thread: 0xa018d00) against 192.168.0.190:111 threw an error!
./nselib/rpc.lua:1280: bad argument #2 to 'format' (string expected, got nil)
stack traceback:
       [C]: in function 'format'
       ./nselib/rpc.lua:1280: in function 'ShowMounts'
       ./scripts/nfs-statfs.nse:40: in function <./scripts/nfs-statfs.nse:37>
       (tail call): ?

NSE: 'nfs-showmount' (thread: 0xa0303f8) against 192.168.0.190:111 threw an error!
./nselib/rpc.lua:1280: bad argument #2 to 'format' (string expected, got nil)
stack traceback:
       [C]: in function 'format'
       ./nselib/rpc.lua:1280: in function 'ShowMounts'
       ./scripts/nfs-showmount.nse:39: in function <./scripts/nfs-showmount.nse:34>
       (tail call): ?

NSE: Finished 'rpcinfo' (thread: 0xa01a250) against 192.168.0.190:111.
NSE: 'nfs-acls' (thread: 0xa00e9d8) against 192.168.0.190:111 threw an error!
./nselib/rpc.lua:1280: bad argument #2 to 'format' (string expected, got nil)
stack traceback:
       [C]: in function 'format'
       ./nselib/rpc.lua:1280: in function 'ShowMounts'
       ./scripts/nfs-acls.nse:42: in function <./scripts/nfs-acls.nse:37>
       (tail call): ?

Completed NSE at 19:16, 0.11s elapsed
NSE: Script Scanning completed.
Nmap scan report for 192.168.0.190
Fetchfile found ./nmap-mac-prefixes
MAC prefix 0001C8 is duplicated in ./nmap-mac-prefixes; ignoring duplicates.
MAC prefix 080030 is duplicated in ./nmap-mac-prefixes; ignoring duplicates.
MAC prefix 080030 is duplicated in ./nmap-mac-prefixes; ignoring duplicates.
Host is up, received arp-response (0.00022s latency).
Scanned at 2010-04-21 19:16:52 MDT for 0s
PORT    STATE SERVICE REASON
111/tcp open  rpcbind syn-ack
| rpcinfo:
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100021  0,1,3,4      877/udp  nlockmgr
|   100021  0,1,3,4     1022/tcp  nlockmgr
|   100024  1            905/udp  status
|_  100024  1           1021/tcp  status

The expected output is this.

PORT    STATE SERVICE REASON
111/tcp open  rpcbind syn-ack
| rpcinfo:
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,3          915/udp  mountd
|   100005  1,3         1008/tcp  mountd
|   100011  1,2          652/udp  rquotad
|   100021  0,1,3,4      877/udp  nlockmgr
|   100021  0,1,3,4     1022/tcp  nlockmgr
|   100024  1            905/udp  status
|_  100024  1           1021/tcp  status
| nfs-showmount:
|_  /Users/david 192.168.0.0
| nfs-dirlist:
|   /Users/david
|_    ERROR: rpc.Helper.Dir: Mount: Reply state was not Accepted(0) as expected
| nfs-statfs:
|   /Users/david
|_    ERROR: rpc.Helper.ExportStats: Mount: Reply state was not Accepted(0) as expected
| nfs-acls:
|   /Users/david
|_    ERROR: rpc.Helper.GetAttributes: Mount: Reply state was not Accepted(0) as expected

This is with the Mac OS X nfsd.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


-- 
tixxdz
<rpc.lua.diff>_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] rpc library, (continued)
- - - Re: [NSE] rpc library Djalal Harouni (Apr 17)
    - Re: [NSE] rpc library Patrik Karlsson (Apr 18)
    - Re: [NSE] rpc library Djalal Harouni (Apr 18)
    - Re: [NSE] rpc library David Fifield (Apr 21)
    - Re: [NSE] rpc library; trusted inputs? David Fifield (Apr 21)
    - Re: [NSE] rpc library; trusted inputs? Djalal Harouni (Apr 26)
    - Re: [NSE] rpc library; trusted inputs? David Fifield (Apr 26)
    - Re: [NSE] rpc library; errors during nfsd startup David Fifield (Apr 21)
    - Re: [NSE] rpc library; errors during nfsd startup Patrik Karlsson (Apr 22)
    - Re: [NSE] rpc library; errors during nfsd startup Djalal Harouni (Apr 23)
    - Re: [NSE] rpc library; errors during nfsd startup Patrik Karlsson (Apr 25)
    - Re: [NSE] rpc library; errors during nfsd startup Djalal Harouni (Apr 25)
    - Re: [NSE] rpc library; errors during nfsd startup David Fifield (May 04)