Re: nmap crash (ssh-publickey-acceptance)

[Daniel Miller <bonsaiviking () gmail com>]

Darren,

Good news and bad news. The good: I found why publickey checking wasn't
working; the helper function wasn't written to return the result of the
libssh2 call, so the result was always 'nil', which is false. So that's
cleared up in r37074, with a couple other fixes in subsequent revisions.

The bad: the results you provided don't really narrow down the problem to a
reasonable search space. I have some ideas for doing so, though.

1. Try the crashing command, but with -n to disable reverse-DNS, which also
uses Nsock.

2. Try the crashing command, but instead of -sV do --script
"version,ssh-publickey-acceptance"

3. Try the crashing command, but add script-intensity=0 to your
--script-args options.

Let me know which of these crashes and which does not.

Dan

On Fri, Nov 3, 2017 at 3:58 AM, Darren Martyn <darren () 0x27 me> wrote:

> 1. Output of nmap --version
> Nmap version 7.60SVN ( https://nmap.org )
> Platform: x86_64-unknown-linux-gnu
> Compiled with: nmap-liblua-5.3.3 openssl-1.0.2k nmap-libssh2-1.8.0
> libz-1.2.8 libpcre-8.39 libpcap-1.8.1 nmap-libdnet-1.12 ipv6
> Compiled without:
> Available nsock engines: epoll poll select
>
> SVN Revision: 37073
>
> 2. If I drop "-sV" the error does not occur. However, the SSH publickey
> acceptance script returns "No public keys accepted".
>
> 3. If I only use "-sV" the error does not occur.
>
> 4. If I remove the script arguments, the error does not occur - the script
> tries with a hardcoded? key (that I didn't spot in the source code of the
> script but may have missed something).
> NSE: [ssh-publickey-acceptance M:55f6c25199f8 178.62.189.79:22] Checking
> key: AAAAB3NzaC1yc2EAAAABIwAAAIEAvIhC5skTzxyHif/7iy3yhxuK6/
> OB13hjPqrskogkYFrcW8OK4VJT+5+Fx7wd4sQCnVn8rNqahw/x6sfcOMDI/
> Xvn4yKU4t8TnYf2MpUVr4ndz39L5Ds1n7Si1m2suUNxWbKv58I8+
> NMhlt2ITraSuTU0NGymWOc8+LNi+MHXdLk= for user root
>
> This is the first key in "publickeydb" in nselib/data/publickeydb
>
> Interestingly, this bug may be related to: http://seclists.org/nmap-
> dev/2017/q3/162 - I triggered it while trying to replicate this issue.
> For what its worth, while original reporter was on OSX, I'm using Debian 9.
>
> Regards,
> Darren
>
>
> On Fri, Nov 3, 2017 at 3:34 AM, Daniel Miller <bonsaiviking () gmail com>
> wrote:
>
> > Thanks for reporting this! It seems to be a double-free occuring during
> > NSE garbage collection/shutdown, specifically in the nsock_pool_delete
> > function. I can't readily see how this could be happening, so can you give
> > a little more info?
> >
> > 1. output of nmap --version
> >
> > 2. Does the error occur if you do not use -sV?
> >
> > 3. Does the error occur if you only use -sV (i.e. not --script
> > ssh-publickey-acceptance)
> >
> > 4. If the previous 2 tests show that ssh-publickey-acceptance is required
> > to trigger the bug, does it crash if you do not use the --script-args you
> > provided?
> >
> > Thanks for your help.
> >
> > Dan
> >
> > On Thu, Nov 2, 2017 at 3:41 PM, Darren Martyn <darren () 0x27 me> wrote:
> >
> > > Attached is a log with loads of debug info. Got partially through
> > > redacting hostnames, then stopped bothering because its a publicly routable
> > > host I own anyway.
> > >
> > > _______________________________________________
> > > Sent through the dev mailing list
> > > https://nmap.org/mailman/listinfo/dev
> > > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/