Nmap Development mailing list archives

Re: crash its not work hiks hikss...

From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 14 Apr 2014 09:41:50 -0500

On 04/14/2014 07:17 AM, Daniel Miller wrote:

On Sun, Apr 13, 2014 at 2:41 PM, Rachmat Gumilar<0906098 () sttgarut ac id <mailto:0906098 () sttgarut ac id>> wrote:


    Version: 6.45
    Traceback (most recent call last):
      File "zenmapGUI\ScanInterface.pyo", line 597, in verify_execution
      File "zenmapGUI\ScanInterface.pyo", line 613, in load_from_command
      File "zenmapCore\NmapParser.pyo", line 799, in parse_file
      File "zenmapCore\NmapParser.pyo", line 793, in parse
      File "xml\sax\expatreader.pyo", line 107, in parse
      File "xml\sax\xmlreader.pyo", line 123, in parse
      File "xml\sax\expatreader.pyo", line 207, in feed
      File "xml\sax\expatreader.pyo", line 381, in external_entity_ref
      File "xml\sax\saxutils.pyo", line 304, in prepare_input_source
      File "urllib.pyo", line 86, in urlopen
      File "urllib.pyo", line 207, in open
      File "urllib.pyo", line 436, in open_https
      File "httplib.pyo", line 954, in endheaders
      File "httplib.pyo", line 814, in _send_output
      File "httplib.pyo", line 776, in send
      File "httplib.pyo", line 1157, in connect
      File "socket.pyo", line 571, in create_connection
    IOError: [Errno socket error] [Errno 10060] A connection attempt
    failed
    because the connected party did not properly respond after a period of
    time, or established connection failed because connected host has
    failed to
    respond
    _______________________________________________
    Sent through the dev mailing list
    http://nmap.org/mailman/listinfo/dev
    Archived at http://seclists.org/nmap-dev/

This is a result of my adding a DOCTYPE definition to Nmap's XMLoutput. Apparently, Python's XML parser fetches the DTD every time itparses an XML file. This patch will disable the DOCTYPE definition asa temporary fix, but a better long-term fix would be altering Zenmapto use a custom EntityResolver that either returns an in-memory DTD orresolves it to the installed nmap.dtd.


diff --git a/nmap.cc b/nmap.cc
index febcca9..66b3eeb 100644
--- a/nmap.cc
+++ b/nmap.cc
@@ -1669,7 +1669,13 @@ int nmap_main(int argc, char *argv[]) {
   chomp(mytime);
   char *xslfname = o.XSLStyleSheet();
   xml_start_document();
+  /* This is causing problems with some XML parsers, especially Python's

+ * xml.sax used in Zenmap, because they automatically fetch the DTDevery

+   * time they parse. Reference bug report for Python xml.sax:
+   * http://bugs.python.org/issue17318
+   *

log_write(LOG_XML, "<!DOCTYPE nmaprun PUBLIC \"-//IDN nmap.org//DTD<http://nmap.org//DTD> Nmap XML %s//EN\"\"https://svn.nmap.org/nmap/docs/nmap.dtd\<https://svn.nmap.org/nmap/docs/nmap.dtd%5C>">\n", NMAP_XMLOUTP

+  */
   if (xslfname) {
     xml_open_pi("xml-stylesheet");
     xml_attribute("href", "%s", xslfname);


Dan

Here is a quick patch to solve this issue within Zenmap by overridingthe default EntityResolver. I'm a little afraid that this may beintroducing a XML External Entity (XXE) processing vulnerability(https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing),but in general, I wouldn't recommend parsing scans from unknown sourcesanyway.


diff --git a/zenmap/zenmapCore/NmapParser.py b/zenmap/zenmapCore/NmapParser.py
index 1f818ad..bfc9134 100644
--- a/zenmap/zenmapCore/NmapParser.py
+++ b/zenmap/zenmapCore/NmapParser.py
@@ -139,6 +139,7 @@ import zenmapCore.I18N
 from zenmapCore.UmitLogging import log
 from zenmapCore.NmapOptions import NmapOptions, split_quoted, join_quoted
 from zenmapCore.StringPool import unique
+from zenmapCore.Paths import NMAPDATADIR

# The version of the Nmap DTD this file understands and emits.

 XML_OUTPUT_VERSION = "1.04"
@@ -1348,12 +1349,20 @@ class NmapParserSAX(ParserBasics, ContentHandler):
     def is_unsaved(self):
         return self.unsaved

+from xml.sax.handler import EntityResolver

+class OverrideEntityResolver(EntityResolver):
+    """This class overrides the default behavior of xml.sax to download remote
+    DTDs, instead resolving them to the installed Zenmap directory."""
+    def resolveEntity(self, publicId, systemId):
+        resource = systemId.replace("https://svn.nmap.org/nmap/";, "")
+        return os.path.join(NMAPDATADIR, *os.path.split(resource))

def nmap_parser_sax():

     parser = make_parser()
     nmap_parser = NmapParserSAX()

parser.setContentHandler(nmap_parser)

+    parser.setEntityResolver(OverrideEntityResolver())
     nmap_parser.set_parser(parser)

return nmap_parser


Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

crash its not work hiks hikss... Rachmat Gumilar (Apr 14)
- Re: crash its not work hiks hikss... Daniel Miller (Apr 14)
  - Re: crash its not work hiks hikss... Daniel Miller (Apr 14)
    - Re: crash its not work hiks hikss... Daniel Miller (Apr 16)
    - Re: crash its not work hiks hikss... Daniel Miller (Apr 16)
- Re: crash its not work hiks hikss... Daniel Miller (Apr 18)