Nmap Development mailing list archives
Re: nmap crash (ssh-publickey-acceptance)
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 3 Nov 2017 22:38:45 -0500
Darren, Good news and bad news. The good: I found why publickey checking wasn't working; the helper function wasn't written to return the result of the libssh2 call, so the result was always 'nil', which is false. So that's cleared up in r37074, with a couple other fixes in subsequent revisions. The bad: the results you provided don't really narrow down the problem to a reasonable search space. I have some ideas for doing so, though. 1. Try the crashing command, but with -n to disable reverse-DNS, which also uses Nsock. 2. Try the crashing command, but instead of -sV do --script "version,ssh-publickey-acceptance" 3. Try the crashing command, but add script-intensity=0 to your --script-args options. Let me know which of these crashes and which does not. Dan On Fri, Nov 3, 2017 at 3:58 AM, Darren Martyn <darren () 0x27 me> wrote:
1. Output of nmap --version Nmap version 7.60SVN ( https://nmap.org ) Platform: x86_64-unknown-linux-gnu Compiled with: nmap-liblua-5.3.3 openssl-1.0.2k nmap-libssh2-1.8.0 libz-1.2.8 libpcre-8.39 libpcap-1.8.1 nmap-libdnet-1.12 ipv6 Compiled without: Available nsock engines: epoll poll select SVN Revision: 37073 2. If I drop "-sV" the error does not occur. However, the SSH publickey acceptance script returns "No public keys accepted". 3. If I only use "-sV" the error does not occur. 4. If I remove the script arguments, the error does not occur - the script tries with a hardcoded? key (that I didn't spot in the source code of the script but may have missed something). NSE: [ssh-publickey-acceptance M:55f6c25199f8 178.62.189.79:22] Checking key: AAAAB3NzaC1yc2EAAAABIwAAAIEAvIhC5skTzxyHif/7iy3yhxuK6/ OB13hjPqrskogkYFrcW8OK4VJT+5+Fx7wd4sQCnVn8rNqahw/x6sfcOMDI/ Xvn4yKU4t8TnYf2MpUVr4ndz39L5Ds1n7Si1m2suUNxWbKv58I8+ NMhlt2ITraSuTU0NGymWOc8+LNi+MHXdLk= for user root This is the first key in "publickeydb" in nselib/data/publickeydb Interestingly, this bug may be related to: http://seclists.org/nmap- dev/2017/q3/162 - I triggered it while trying to replicate this issue. For what its worth, while original reporter was on OSX, I'm using Debian 9. Regards, Darren On Fri, Nov 3, 2017 at 3:34 AM, Daniel Miller <bonsaiviking () gmail com> wrote:Thanks for reporting this! It seems to be a double-free occuring during NSE garbage collection/shutdown, specifically in the nsock_pool_delete function. I can't readily see how this could be happening, so can you give a little more info? 1. output of nmap --version 2. Does the error occur if you do not use -sV? 3. Does the error occur if you only use -sV (i.e. not --script ssh-publickey-acceptance) 4. If the previous 2 tests show that ssh-publickey-acceptance is required to trigger the bug, does it crash if you do not use the --script-args you provided? Thanks for your help. Dan On Thu, Nov 2, 2017 at 3:41 PM, Darren Martyn <darren () 0x27 me> wrote:Attached is a log with loads of debug info. Got partially through redacting hostnames, then stopped bothering because its a publicly routable host I own anyway. _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap crash (ssh-publickey-acceptance) Darren Martyn (Nov 02)
- Re: nmap crash (ssh-publickey-acceptance) Daniel Miller (Nov 02)
- Re: nmap crash (ssh-publickey-acceptance) Darren Martyn (Nov 05)
- Re: nmap crash (ssh-publickey-acceptance) Daniel Miller (Nov 03)
- Re: nmap crash (ssh-publickey-acceptance) Darren Martyn (Nov 05)
- Re: nmap crash (ssh-publickey-acceptance) Daniel Miller (Nov 02)