Nmap Development mailing list archives
Re: Malicious web server can make nmap consume all RAM memory.
From: Nick Marsh <grepnick () gmail com>
Date: Wed, 8 Apr 2015 10:14:15 -0500
I reported a similar issue with the NSE the other day. Daniel Miller sent the reply below. http://seclists.org/nmap-dev/2015/q2/7 On Wed, Apr 8, 2015 at 6:06 AM, el draco <eldraco () gmail com> wrote:
Hi all. Last week I was playing with honeypots and I crated a program called The Infinite Web Page (https://github.com/eldraco/theinfinitewebpage). The idea is to put a honeypot that will deliver infinite data to any http client connecting to it. It is working fine so far. This honeypot allow me to test several web browsers/clients to see how they handle this type of malicious actions. It turned out that nmap nse is kind of 'vulnerable' to this 'attack' and therefore downloads the web page forever, filling out the memory. Nmap was run in a debian unstable 32bits. Nmap version 6.47SVN ( http://nmap.org ) Platform: i686-pc-linux-gnu Compiled with: nmap-liblua-5.2.3 openssl-1.0.1k libpcre-8.35 libpcap-1.6.2 nmap-libdnet-1.12 ipv6 Repository Root: https://svn.nmap.org Repository UUID: e0a8ed71-7df4-0310-8962-fdc924857419 Revision: 34404 * First experiment nmap -sS -sV -n -v -d -p 8800 localhost This command prove *not* to be vulnerable. You can see the nmap output in nmap-experiment-1.txt and the screenshot from the infinite web page in nmap-experiment-1.png * Second experiment nmap -sS -A -n -v -d -p 8800 localhost Now nmap is using -A, and the nse scripts get stuck in the honeypot. Maybe the nse engine is vulnerable. The vulnerable http requests were: GET /flumemaster.jsp (flume-master-info) GET /rs-status GET / GET /jobtracker.jsp GET /master.jsp OPTIONS / GET /tasktracker.jsp GET /browseDirectory.jsp GET /status.jsp GET /dfshealth.jsp GET /robots.txt These requests are done by some nse scripts, they were connected for 2:09 minutes and downloaded 105MB each. Which actually killed the machine running nmap because it filled its 4GB ram in 2 minutes. I had to manually stop nmap in order to recover the machine. Other nse scripts finished correctly after some time. You can see in the second screenshot that the duration was less than 1 second and the data transferred was very small. You can see the complete nmap output in nmap-experiment-2.txt and the screenshot from the infinite web page in nmap-experiment-2.png As you can see in the output, the ETC of nmap keeps increasing. * Reproduce To reproduce the problem just execute the infinite web page and then run nmap agains your localhost (defaults to port 8800). Be careful with the memory consumption. (I couldn't reproduce it by specifying the scripts one by one, only with -A) I hope this helps to make nmap better! cheers Sebas -- https://pgp.mit.edu/pks/lookup?op=get&search=0x9D9A358CA10F1601 _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Malicious web server can make nmap consume all RAM memory. el draco (Apr 08)
- Re: Malicious web server can make nmap consume all RAM memory. David Fifield (Apr 08)
- Re: Malicious web server can make nmap consume all RAM memory. el draco (Apr 08)
- Re: Malicious web server can make nmap consume all RAM memory. Nick Marsh (Apr 09)
- Re: Malicious web server can make nmap consume all RAM memory. el draco (Apr 13)
- Re: Malicious web server can make nmap consume all RAM memory. David Fifield (Apr 08)