Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nmap potentially vulnerable to Windows DLL Hijacking

From: David Fifield <david () bamsoftware com>
Date: Sat, 4 Sep 2010 20:28:16 -0600
On Sat, Sep 04, 2010 at 08:35:57PM +0530, Nikhil Mittal wrote:

I cannot find where to download the latest commit. Do I need rights to check
out nmap SVN??


Follow the instructions at http://nmap.org/book/install.html#inst-svn.
svn co --username guest --password "" svn://svn.insecure.org/nmap


Also, request your consent to publish it on Bugtraq/Full Disclosure.


You can write what you like, but there is no vulnerability here, at
least as far as I understand DLL hijacking. Even though Nmap loads
airpcap.dll with an insufficiently qualified path (through WinPcap), its
lack of file name extension associations means that an attacker doesn't
have a way to get control over the current directory.

I do thank you for bringing this to our attention. Even though Nmap does
not make file name extension associations now, it might have become
vulnerable if such associations were added in the future.

Also keep in mind that I have only personally checked nmap.exe and
zenmap.exe so far. I would appreciate help testing the other programs,
and independent confirmation of what I have already tested.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: