Re: Malicious web server can make nmap consume all RAM memory.

[Nick Marsh <grepnick () gmail com>]

I reported a similar issue with the NSE the other day. Daniel Miller sent
the reply below.

http://seclists.org/nmap-dev/2015/q2/7

On Wed, Apr 8, 2015 at 6:06 AM, el draco <eldraco () gmail com> wrote:

> Hi all.
>
> Last week I was playing with honeypots and I crated a program called
> The Infinite Web Page (https://github.com/eldraco/theinfinitewebpage).
> The idea is to put a honeypot that will deliver infinite data to any
> http client connecting to it. It is working fine so far.
>
> This honeypot allow me to test several web browsers/clients to see how
> they handle this type of malicious actions. It turned out that nmap
> nse is kind of 'vulnerable' to this 'attack' and therefore downloads
> the web page forever, filling out the memory.
>
> Nmap was run in a debian unstable 32bits.
> Nmap version 6.47SVN ( http://nmap.org )
> Platform: i686-pc-linux-gnu
> Compiled with: nmap-liblua-5.2.3 openssl-1.0.1k libpcre-8.35
> libpcap-1.6.2 nmap-libdnet-1.12 ipv6
> Repository Root: https://svn.nmap.org
> Repository UUID: e0a8ed71-7df4-0310-8962-fdc924857419
> Revision: 34404
>
> * First experiment
> nmap -sS -sV -n -v -d -p 8800 localhost
>
> This command prove *not* to be vulnerable. You can see the nmap output
> in nmap-experiment-1.txt and the screenshot from the infinite web page
> in nmap-experiment-1.png
>
>
> * Second experiment
> nmap -sS -A -n -v -d -p 8800 localhost
>
> Now nmap is using -A, and the nse scripts get stuck in the honeypot.
> Maybe the nse engine is vulnerable. The vulnerable http requests were:
>
> GET /flumemaster.jsp (flume-master-info)
> GET /rs-status
> GET /
> GET /jobtracker.jsp
> GET /master.jsp
> OPTIONS /
> GET /tasktracker.jsp
> GET /browseDirectory.jsp
> GET /status.jsp
> GET /dfshealth.jsp
> GET /robots.txt
>
> These requests are done by some nse scripts, they were connected for
> 2:09 minutes and downloaded 105MB each. Which actually killed the
> machine running nmap because it filled its 4GB ram in 2 minutes. I had
> to manually stop nmap in order to recover the machine.
>
> Other nse scripts finished correctly after some time. You can see in
> the second screenshot that the duration was less than 1 second and the
> data transferred was very small.
>
> You can see the complete nmap output in nmap-experiment-2.txt and the
> screenshot from the infinite web page in nmap-experiment-2.png
>
> As you can see in the output, the ETC of nmap keeps increasing.
>
>
> * Reproduce
> To reproduce the problem just execute the infinite web page and then
> run nmap agains your localhost (defaults to port 8800). Be careful
> with the memory consumption.
>
> (I couldn't reproduce it by specifying the scripts one by one, only with
> -A)
>
>
> I hope this helps to make nmap better!
> cheers
> Sebas
>
>
> --
> https://pgp.mit.edu/pks/lookup?op=get&search=0x9D9A358CA10F1601
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/