Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] rpcinfo breaks when encountering TCP protocol 0

From: Tom Sellers <nmap () fadedcode net>
Date: Sun, 10 Apr 2016 10:49:57 -0500
The following was opened as Github Issue 363 ( https://github.com/nmap/nmap/issues/363 ).  The formatting is likely 
better there.


The rpcinfo.nse script crashes when gathering information from certain IPv6 enabled installations even if the target is 
scanned via its IPv4 address. This is due to the script trying to process an
unexpected protocol type: 0. IP protocol ID 0 is HOPOPT / IPv6 Hop-by-Hop Option. Information on this can be found at 
the links at the bottom of this Issue. The code that is crashing performs actions
that can be skipped for protocol 0 so working around it for this script is trivial. My concern is that this needs to be 
reviewed to ensure broader changes are implemented if required.


Simplest command to reproduce

nmap -n -d --script=rpcinfo.nse -p 111 <target>


Error Message

NSE: rpcinfo M:434AE38 against 192.168.270.10:111 threw an error!
C:\Users\Test\Documents\nmap-7.12/scripts\rpcinfo.nse:97: port 'protocol' field must be "udp", "sctp" or "tcp"
stack traceback:
        [C]: in function 'get_port_state'
        C:\Users\Test\Documents\nmap-7.12/scripts\rpcinfo.nse:97: in function 
<C:\Users\Test\Documents\nmap-7.12/scripts\rpcinfo.nse:84>
        (...tail calls...)


The relevant code is line 97 in rpcinfo.nse:

96    for proto, v2 in pairs(v) do
97      local nmapport = nmap.get_port_state(host, {number=v2.port, protocol=proto})
98      if nmapport and (nmapport.state == "open" or nmapport.state == "open|filtered") then

Direct link: https://github.com/nmap/nmap/blob/0ac6e525237300792f12b74c35e75c171b5ce3ea/scripts/rpcinfo.nse#L96-L98



Here is an example of the variable v that the code is iterating over:

udp:
  version:
    1: 2
    2: 3
    3: 4
  port: 111
tcp:
  version:
    1: 2
    2: 3
    3: 4
  port: 111
0:
  version:
    1: 2
    2: 3
    3: 4
  port: 111


When nmap.get_port_state gets called with protocol 0 from variable 'v' above it triggers this section of code in 
nse_utility.cc:

196 protocol = strcmp(lua_tostring(L, -1), "tcp") == 0 ? IPPROTO_TCP :
197            strcmp(lua_tostring(L, -1), "udp") == 0 ? IPPROTO_UDP :
198            strcmp(lua_tostring(L, -1), "sctp") == 0 ? IPPROTO_SCTP :
199            luaL_error(L, "port 'protocol' field must be \"udp\", \"sctp\" or \"tcp\"");

Direct link: https://github.com/nmap/nmap/blob/0ac6e525237300792f12b74c35e75c171b5ce3ea/nse_utility.cc#L196-L199

This code is unable to account for a protocol name of '0' and so generates the error.

As I said at the start, it's trivial to work around this in rcpinfo.nse. My concern is that other sections of code may 
need to be adjusted as well.

Thoughts?

Tom



Reference:

IP Protocol number list
https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

Assigned Internet Protocol Numbers
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

IP Protocol 0, Hop by Hop Options
https://en.wikipedia.org/wiki/IPv6_packet#Hop-by-hop_options_and_destination_options

RCF 2460, Page 11, Section 4.3 - Hop-by-Hop Options Header
http://tools.ietf.org/html/rfc2460#page-11
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: