Nmap Development mailing list archives
[NSE] mssql library - bug in parsing browser data
From: Chris Woodbury <chris3e3 () gmail com>
Date: Fri, 21 Jan 2011 18:33:14 -0600
While working on some NSE scripts for SQL Server, I found a bug in the mssql.lua library. In the Discover function, when the SQL Server browser data is being parsed, it treats ";;" as a marker for the end of the data for a SQL Server instance. However, ";;" is valid within the data for an instance, signifying a field without a value (i.e. an empty string, etc.), and one of these ";;"s will make the capture to end too early, likely resulting in a crash [1]. Basically ,the proper way to identify an instance is to find ServerName;.-;InstanceName;.-;IsClustered;.-; (per the SSRP spec, these are always present and in this order) and then go on until you reach the end or another instance. I couldn't figure out how to do this with Lua patterns in one step; so, I did it in two - cutting up the string and then parsing each one. I've attached a patch against the SVN version. I haven't done a ton of Lua/NSE scripting, so I would appreciate any comments. Thanks -chris [1] Example: "ServerName;WINXP;InstanceName;MSSQLSERVER;IsClustered;No;Version;8.00.194;np;\\WINXP\pipe\sql\query;tcp;1433;rpc;WINXP;spx;WINXP;adsp;WINXP;bv;;@MSSQL;;via;WINXP,0:1433;;" gets captured as: (1) ServerName;WINXP;InstanceName;MSSQLSERVER;IsClustered;No;Version;8.00.194;np;\\WINXP\pipe\sql\query;tcp;1433;rpc;WINXP;spx;WINXP;adsp;WINXP;bv;; (2) @MSSQL;; (3) via;WINXP,0:1433;; (4) ServerName;WINXP;InstanceName;SQL2K5;IsClustered;No;Version;9.00.4035.00;tcp;1278;; The script crashes on line 843 during (2), when it tries to use the instance name, which it didn't get.
Attachment:
mssql_ssrp_split.patch
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] mssql library - bug in parsing browser data Chris Woodbury (Jan 21)
- Re: [NSE] mssql library - bug in parsing browser data Patrik Karlsson (Jan 22)