Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Remote exploitation of network scanners?

From: Fyodor <fyodor () INSECURE ORG>
Date: Sat, 26 Aug 2000 17:12:24 -0700
On Sat, 26 Aug 2000, Marshall Beddoe wrote:


Uhm, actually, there has been a remote exploit demonstrated against nmap.
It was written by typo of team teso.
http://inferno.tusculum.edu/~typo/banfuq.c


Neat.  But this is *NOT* an exploit against Nmap.  It exploits the version
detection facility of "Nmap+V", a third party patch written & maintained
by others.  One of the reasons I did not accept the "+V" patch into Nmap
is that I had no time to do a security audit against all the new code.

Thus, nobody who downloaded a real Nmap release (eg from
http://www.insecure.org/nmap/ ) is vulnerable.  If you decide to download
3rd party derivative programs, then you must be responsible for the
security implications of doing so.  Obviously I cannot control or
guarantee the security of programs/modifications other people write and
distribute on their own site.  However, I do scrutinize the security
of patches before I incorporate them into the Nmap tree.

Thanks for the pointer though -- I will pass it on to the maintainers of
"Nmap+V" (in case they haven't already seen it).

Also, the service detection offered by "Nmap+V" *IS* useful .  The idea is
to send various probes to open ports to determine what service is REALLY
listening on them.  Currently Nmap just prints the name of services which
are assigned to (or frequently use) the port.  But one of the most
frequent usages of Nmap is security auditing where it is critically
important that people not miss vulnerabilities just because
someone was running their server on a non-default port.

Thus we (on the Nmap development list) are currently working on
determining the best way to (securely) add this functionality to Nmap.
We are currently working on the grammar for the probe/detection
configuration file.  If you are interested in contributing to this effort,
you can subscribe via blank email to nmap-dev-subscribe () insecure org .
Archives and info about the list are available at
http://lists.insecure.org/#nmap-dev .

Cheers,
Fyodor

--
Fyodor                            'finger pgp () pgp insecure org | pgp -fka'
Frustrated by firewalls?          Try nmap: http://www.insecure.org/nmap/
"The percentage of users running Windows NT Workstation 4.0 whose PCs
 stopped working more than once a month was less than half that of Windows
 95 users."-- microsoft.com/ntworkstation/overview/Reliability/Highest.asp
Previous By Date Next
Previous By Thread Next

Current thread: