Re: nmap's service discovery crashable

[Daniel Miller <bonsaiviking () gmail com>]

On 04/15/2014 11:22 AM, Daniel Miller wrote:
> On 04/15/2014 08:58 AM, Jacek Wielemborek wrote:
> > 15/04/2014 15:57:26 Jacek Wielemborek <d33tah () gmail com>:
> > > Hello,
> > >
> > > While trying to trick Nmap into printing non-ASCII characters from the
> > > payloads in service discovery mode, I stumbled upon a bug. Here's 
> > > how to
> > > reproduce it:
> > >
> > > ncat -l 31337 -k --sh-exec "/bin/echo -en
> > > '\x00\x03sok\0.n\0\0\x33\x33\x33\x33\x33\x33\x33\x33'" &
> > >
> > > nmap localhost -p 31337 -sV --version-intensity 9
> > >
> > > Yours,
> > > Jacek Wielemborek
> > Ah, sorry, forgot to include the output:
> >
> > Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-15 15:58 CEST
> > nmap: service_scan.cc:758: char* substvar(char*, char**, const u8*, 
> > int, int*,
> > int): Assertion `offstart >= 0 && offstart < subjectlen' failed.
> > zsh: abort      nmap localhost -p 31337 -sV --version-intensity 9
>
> It looks like this crash happens when the service match line specifies 
> a group that can be a 0-length string, then that group gets 
> substituted into one of the match templates. Here's a trivial example:
>
> match blah m|.*(a*)| p/>$1</
>
> This line will match any number of "a"s at the end of a service 
> response and put them in the product name. If you place this line in 
> nmap-service-probes at the head of the TCP NULL probe, then it will 
> crash with the same error when scanning any service that doesn't 
> contain at least 1 "a" character.
>
> I don't have a fix at the moment, but this should be a good starting 
> point for someone to dig into the problem: How can we perform a 
> substitution of an empty string? The alternative would be to ensure 
> that no match line specifies a grouping that can match the empty 
> string, but that's a lot of work and does not prevent the error from 
> happening again in the future.
>
> Dan
Clarification: This only happens when the 0-length match is at the end 
of the match line. So given a service that says "blah" and hangs up, 
this will trigger:

match blah m|blah(.*)| p/$1/

But this will not:

match blah m|(.*)blah| p/$1/

As far as I can tell, these are the only 2 patterns affected:

match domain 
m|^\0\x06\x05\0\0\x01\0\x01\0\0\0\0\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x01X\x02\0\0\0..Microsoft 
DNS (.*)|s p/Microsoft DNS/ v/$1/ o/Windows/ cpe:/o:microsoft:windows/a
match erlang-node m|^\0[^\x03]s(.*)|s p/Erlang Distribution Node/ 
i/Status: $1/

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/