Nmap Development mailing list archives
Re: New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Thu, 19 Jul 2012 01:24:42 +0200
We were just chating about this on #nmap This is what I get when nmap is setuid root: Starting Nmap 6.02 ( http://nmap.org ) at 2012-07-18 23:21 CEST WARNING: Running Nmap setuid, as you are doing, is a major security risk. So the check is already there. Aleksandar On Thu, Jul 19, 2012 at 12:56 AM, Daniel Miller <bonsaiviking () gmail com> wrote:
On 07/18/2012 12:00 PM, New VA Module Alert Service wrote:== Metasploit modules (5) == r15649http://metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/unix/local/setuid_nmap.rb setuid nmap "exploit"Setuid Nmap has been a major no-no for years, but this week, Metasploit added a framework for local exploits (mostly geared around privilege escalation, natch), and one of the 3 flagship exploits is an exploit for setuid installs of Nmap, via os.execute() in a NSE script. There are a few approaches we could take on this issue (I won't say "in response," since the issue has been around long before this addition to Metasploit, and our projects are mutually beneficial, not comptetitors): 1. Do nothing. 2. Add a runtime check for EUID != UID and either complain or die. Here's a patch for a warning without terminating execution:diff --git a/main.cc b/main.cc index 08a1b02..aba32f8 100644 --- a/main.cc +++ b/main.cc @@ -148,6 +148,14 @@ int main(int argc, char *argv[]) { set_program_name(argv[0]); +#ifndef WIN32 + int euid; + euid = geteuid(); + if (euid == 0 && euid != getuid()) { + error("WARNING! Nmap should never be installed suid-root! This exposes your system to privilege escalation."); + } +#endif + #ifdef __amigaos__ if(!OpenLibs()) { error("Couldn't open TCP/IP Stack Library(s)!");3. Remove support for os.execute() from NSE. This likely won't solve all issues, and may lead to a false sense of security. The floor is open for discussion! Dan _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13 New VA Module Alert Service (Jul 18)
- Re: New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13 Daniel Miller (Jul 18)
- Re: New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13 Aleksandar Nikolic (Jul 18)
- Re: New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13 Daniel Miller (Jul 18)