Nmap Development mailing list archives

Re: New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13

From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Thu, 19 Jul 2012 01:24:42 +0200

We were just chating about this on #nmap

This is what I get when nmap is setuid root:
Starting Nmap 6.02 ( http://nmap.org ) at 2012-07-18 23:21 CEST
WARNING: Running Nmap setuid, as you are doing, is a major security risk.

So the check is already there.


Aleksandar

On Thu, Jul 19, 2012 at 12:56 AM, Daniel Miller <bonsaiviking () gmail com> wrote:

On 07/18/2012 12:00 PM, New VA Module Alert Service wrote:


== Metasploit modules (5) ==



r15649http://metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/unix/local/setuid_nmap.rb
setuid nmap "exploit"



Setuid Nmap has been a major no-no for years, but this week, Metasploit
added a framework for local exploits (mostly geared around privilege
escalation, natch), and one of the 3 flagship exploits is an exploit for
setuid installs of Nmap, via os.execute() in a NSE script.

There are a few approaches we could take on this issue (I won't say "in
response," since the issue has been around long before this addition to
Metasploit, and our projects are mutually beneficial, not comptetitors):

1. Do nothing.

2. Add a runtime check for EUID != UID and either complain or die. Here's a
patch for a warning without terminating execution:

diff --git a/main.cc b/main.cc
index 08a1b02..aba32f8 100644
--- a/main.cc
+++ b/main.cc
@@ -148,6 +148,14 @@ int main(int argc, char *argv[]) {

   set_program_name(argv[0]);

+#ifndef WIN32
+  int euid;
+  euid = geteuid();
+  if (euid == 0 && euid != getuid()) {
+      error("WARNING! Nmap should never be installed suid-root! This
exposes your system to privilege escalation.");
+  }
+#endif
+
 #ifdef __amigaos__
        if(!OpenLibs()) {
                error("Couldn't open TCP/IP Stack Library(s)!");



3. Remove support for os.execute() from NSE. This likely won't solve all
issues, and may lead to a false sense of security.

The floor is open for discussion!

Dan


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13 New VA Module Alert Service (Jul 18)
- Re: New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13 Daniel Miller (Jul 18)
  - Re: New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13 Aleksandar Nikolic (Jul 18)