Nmap Development mailing list archives
Re: crash its not work hiks hikss...
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 14 Apr 2014 09:41:50 -0500
On 04/14/2014 07:17 AM, Daniel Miller wrote:
On Sun, Apr 13, 2014 at 2:41 PM, Rachmat Gumilar <0906098 () sttgarut ac id <mailto:0906098 () sttgarut ac id>> wrote:Here is a quick patch to solve this issue within Zenmap by overriding the default EntityResolver. I'm a little afraid that this may be introducing a XML External Entity (XXE) processing vulnerability (https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing), but in general, I wouldn't recommend parsing scans from unknown sources anyway.Version: 6.45 Traceback (most recent call last): File "zenmapGUI\ScanInterface.pyo", line 597, in verify_execution File "zenmapGUI\ScanInterface.pyo", line 613, in load_from_command File "zenmapCore\NmapParser.pyo", line 799, in parse_file File "zenmapCore\NmapParser.pyo", line 793, in parse File "xml\sax\expatreader.pyo", line 107, in parse File "xml\sax\xmlreader.pyo", line 123, in parse File "xml\sax\expatreader.pyo", line 207, in feed File "xml\sax\expatreader.pyo", line 381, in external_entity_ref File "xml\sax\saxutils.pyo", line 304, in prepare_input_source File "urllib.pyo", line 86, in urlopen File "urllib.pyo", line 207, in open File "urllib.pyo", line 436, in open_https File "httplib.pyo", line 954, in endheaders File "httplib.pyo", line 814, in _send_output File "httplib.pyo", line 776, in send File "httplib.pyo", line 1157, in connect File "socket.pyo", line 571, in create_connection IOError: [Errno socket error] [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/This is a result of my adding a DOCTYPE definition to Nmap's XML output. Apparently, Python's XML parser fetches the DTD every time it parses an XML file. This patch will disable the DOCTYPE definition as a temporary fix, but a better long-term fix would be altering Zenmap to use a custom EntityResolver that either returns an in-memory DTD or resolves it to the installed nmap.dtd.diff --git a/nmap.cc b/nmap.cc index febcca9..66b3eeb 100644 --- a/nmap.cc +++ b/nmap.cc @@ -1669,7 +1669,13 @@ int nmap_main(int argc, char *argv[]) { chomp(mytime); char *xslfname = o.XSLStyleSheet(); xml_start_document(); + /* This is causing problems with some XML parsers, especially Python's+ * xml.sax used in Zenmap, because they automatically fetch the DTD every+ * time they parse. Reference bug report for Python xml.sax: + * http://bugs.python.org/issue17318 + *log_write(LOG_XML, "<!DOCTYPE nmaprun PUBLIC \"-//IDN nmap.org//DTD <http://nmap.org//DTD> Nmap XML %s//EN\" \"https://svn.nmap.org/nmap/docs/nmap.dtd\ <https://svn.nmap.org/nmap/docs/nmap.dtd%5C>">\n", NMAP_XMLOUTP+ */ if (xslfname) { xml_open_pi("xml-stylesheet"); xml_attribute("href", "%s", xslfname); Dan
diff --git a/zenmap/zenmapCore/NmapParser.py b/zenmap/zenmapCore/NmapParser.py index 1f818ad..bfc9134 100644 --- a/zenmap/zenmapCore/NmapParser.py +++ b/zenmap/zenmapCore/NmapParser.py @@ -139,6 +139,7 @@ import zenmapCore.I18N from zenmapCore.UmitLogging import log from zenmapCore.NmapOptions import NmapOptions, split_quoted, join_quoted from zenmapCore.StringPool import unique +from zenmapCore.Paths import NMAPDATADIR# The version of the Nmap DTD this file understands and emits.
XML_OUTPUT_VERSION = "1.04" @@ -1348,12 +1349,20 @@ class NmapParserSAX(ParserBasics, ContentHandler): def is_unsaved(self): return self.unsaved+from xml.sax.handler import EntityResolver
+class OverrideEntityResolver(EntityResolver): + """This class overrides the default behavior of xml.sax to download remote + DTDs, instead resolving them to the installed Zenmap directory.""" + def resolveEntity(self, publicId, systemId): + resource = systemId.replace("https://svn.nmap.org/nmap/", "") + return os.path.join(NMAPDATADIR, *os.path.split(resource))def nmap_parser_sax():
parser = make_parser() nmap_parser = NmapParserSAX()parser.setContentHandler(nmap_parser)
+ parser.setEntityResolver(OverrideEntityResolver()) nmap_parser.set_parser(parser)return nmap_parser
Dan _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- crash its not work hiks hikss... Rachmat Gumilar (Apr 14)
- Re: crash its not work hiks hikss... Daniel Miller (Apr 14)
- Re: crash its not work hiks hikss... Daniel Miller (Apr 14)
- Re: crash its not work hiks hikss... Daniel Miller (Apr 16)
- Re: crash its not work hiks hikss... Daniel Miller (Apr 16)
- Re: crash its not work hiks hikss... Daniel Miller (Apr 14)
- Re: crash its not work hiks hikss... Daniel Miller (Apr 14)
- Re: crash its not work hiks hikss... Daniel Miller (Apr 18)