Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [nmap-svn] r36293 - nmap

From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 19 Sep 2016 11:40:49 -0500
David,

This is more complicated than I thought. We want to support all the named
protocols, but some of those start with capital letters and others start
with digits (3com-tsmux, 914c-g, etc.). Even worse, some start with digits
followed by hyphen (802-11-iapp, 4-tieropmgw, and 4-tieropmcli).

Here's a selection of services that currently are not handled properly:

914c-g  211/tcp 0.000427        # 914c/g | Texas Instruments 914C/G Terminal
IIS     1027/tcp        0.006724        # 6a44 | IPv6 Behind NAT44 CPEs
4-tieropmgw     2933/tcp        0.000000        # 4-TIER OPM GW
802-11-iapp     3517/tcp        0.000228        # IEEE 802.11 WLANs WG IAPP
3exmp   5221/tcp        0.000228        # 3eTI Extensible Management
Protocol for OAMP
X11:1   6001/tcp        0.011730        # X Window server
SunVTS-RMI      6483/tcp        0.000000        # SunVTS RMI
Trinoo_Bcast    27444/udp       0.001554        # Trinoo distributed attack
tool Master

I think these cover most of the odd cases. I thought maybe we could
unconditionally attempt a strtol and then check the next character to
determine if it should be treated as a port number or as part of a name,
but that does not account for 802-11-iapp. Maybe instead do a last-ditch
effort to look up a service if the parsing failed?

Dan

On Sun, Sep 18, 2016 at 3:42 PM, <commit-mailer () nmap org> wrote:


Author: david
Date: Sun Sep 18 13:42:56 2016
New Revision: 36293

Log:
Avoid eating 'T' 'U' 'S' 'P' not followed by ':' in getpts.

On reading 'T', 'U', 'S', or 'P', getpts_aux would unconditionally
consume the character before checking to see whether it was followed by
a ':'. You could insert 'T', 'U', 'S', or 'P' in several places and it
would just be ignored, which is different treatment than other letters
got.

Behavior before:
        nmap -p 9
        # scans port 9

        nmap -p discard
        # scans port 9

        nmap -p Tdiscard
        # scans port 9

        nmap -p T:Tdiscard
        # scans port 9

        nmap -p Tdi*ard
        # scans port 9

        nmap -p Xdiscard
        # Error #485: Your port specifications are illegal.  Example of
proper form: "-100,200-1024,T:3000-4000,U:60000-"

Behavior after:
        nmap -p 9
        # scans port 9

        nmap -p discard
        # scans port 9

        nmap -p Tdiscard
        # Error #485: Your port specifications are illegal.  Example of
proper form: "-100,200-1024,T:3000-4000,U:60000-"

        nmap -p T:Tdiscard
        # Error #485: Your port specifications are illegal.  Example of
proper form: "-100,200-1024,T:3000-4000,U:60000-"

        nmap -p Tdi*ard
        # Error #485: Your port specifications are illegal.  Example of
proper form: "-100,200-1024,T:3000-4000,U:60000-"

        nmap -p Xdiscard
        # Error #485: Your port specifications are illegal.  Example of
proper form: "-100,200-1024,T:3000-4000,U:60000-"

Modified:
   nmap/CHANGELOG
   nmap/nmap.cc

Modified: nmap/CHANGELOG
============================================================
==================
--- nmap/CHANGELOG      (original)
+++ nmap/CHANGELOG      Sun Sep 18 13:42:56 2016
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o Fixed a bug in port specification parsing that could cause extraneous
+  'T', 'U', 'S', and 'P' characters to be ignored when they should have
+  caused an error. [David Fifield]
+
 o [GH#543] Restored compatibility with LibreSSL, which was lost in adding
   library version checks for OpenSSL 1.1. [Wonko7]


Modified: nmap/nmap.cc
============================================================
==================
--- nmap/nmap.cc        (original)
+++ nmap/nmap.cc        Sun Sep 18 13:42:56 2016
@@ -1569,7 +1569,7 @@
   }

   // Uncomment the following line to use the common lisp port spec test
suite
-  //printf("port spec: (%d %d %d %d)\n", ports.tcp_count,
ports.udp_count, ports.sctp_count, ports.prot_count); exit(0);
+  printf("port spec: (%d %d %d %d)\n", ports.tcp_count, ports.udp_count,
ports.sctp_count, ports.prot_count); exit(0);

 #ifdef WIN32
   if (o.sendpref & PACKET_SEND_IP) {
@@ -2668,23 +2668,23 @@
       current_range++; /* I don't know why I should allow spaces here,
but I will */

     if (change_range_type) {
-      if (*current_range == 'T' && *++current_range == ':') {
-        current_range++;
+      if (*current_range == 'T' && *(current_range+1) == ':') {
+        current_range += 2;
         range_type = SCAN_TCP_PORT;
         continue;
       }
-      if (*current_range == 'U' && *++current_range == ':') {
-        current_range++;
+      if (*current_range == 'U' && *(current_range+1) == ':') {
+        current_range += 2;
         range_type = SCAN_UDP_PORT;
         continue;
       }
-      if (*current_range == 'S' && *++current_range == ':') {
-        current_range++;
+      if (*current_range == 'S' && *(current_range+1) == ':') {
+        current_range += 2;
         range_type = SCAN_SCTP_PORT;
         continue;
       }
-      if (*current_range == 'P' && *++current_range == ':') {
-        current_range++;
+      if (*current_range == 'P' && *(current_range+1) == ':') {
+        current_range += 2;
         range_type = SCAN_PROTOCOLS;
         continue;
       }

_______________________________________________
Sent through the svn mailing list
https://nmap.org/mailman/listinfo/svn


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: