Nmap Announce mailing list archives

Re: nmap..... via web

From: Lamont Granquist <lamontg () raven genome washington edu>
Date: Fri, 19 Feb 1999 12:13:31 -0800

On Fri, 19 Feb 1999, Fyodor wrote:

On Thu, 18 Feb 1999, ajax wrote:

anyway, www.mobis.com/ajax/code/nmap/webmap.cgi is my seven minute
rendering of what i think it should look like, complete with sanity
checking of the user input variable,


You mean this sanity checking?

   # sanity check
   if ($query->param('ip_address') =~ /[~`\#\$\!\%\^\&\*()\|\[\]\{\}\:\;\?]/ ) 
   { print "<H1><tt>Sorry, Try again. </H1>";
     exit; 
   }



# sanity check
if ($query->param('ip_address') !~ /^[0-9\.]$/) {
  print "<H1><tt>Sorry, Try again. </H1>";
  exit;
}

or this if you also allow DNS lookups and want to be permissive of a
little bit of whitespace:

# sanity check
if ($query->param('ip_address') !~ /^\s*[0-9a-zA-Z\.\-]\s*$/) {
  print "<H1><tt>Sorry, Try again. </H1>";
  exit;
}

allow thing which you know you trust through, don't try to guess and list
all the bad things.  don't try to be overly flexible (e.g. don't allow
whitespace in the middle of the address).

also you probably should hack nmap so that it runs suid root and drops
privs immediately after opening up a raw socket and a pcap file
descriptor.  in any application like this you have to assume that someone
will scan their own machine which they have hacked so that it returns
packets in response to nmap queries which will overflow nmap buffers and
give you root if that code is running as root.  nmap wasn't designed to be
run privleged, and hasn't been audited, you should assume that if you let
nmap be run by users that don't otherwise have root on your machine that
there are exploitable holes in nmap that will let them gain root on your
machine.  so, i suggest hacking nmap so that it drops privs, and also
having it drop to uid nobody running in a chroot() environment.

since so many people seem to be trying to use nmap for these kinds of
things maybe nmap needs these patches in the development tree...

-- 
Lamont Granquist                       lamontg () raven genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka

Current thread:

install fails. Jeffrey Roberson (Volt Computer) (Feb 18)
- nmap..... via web Erik Parker (Feb 18)
  - Re: nmap..... via web MadHat (Feb 18)
    - Re: nmap..... via web Andrew Brown (Feb 18)
    - Re: nmap..... via web ajax (Feb 18)
    - Re: nmap..... via web Fyodor (Feb 19)
    - Re: nmap..... via web ajax (Feb 19)
    - Re: nmap..... via web David G. Andersen (Feb 19)
    - Re: nmap..... via web Lamont Granquist (Feb 19)
    - Re: nmap..... via web Fyodor (Feb 19)
    - Re: nmap..... via web Lars Marowsky-Bree (Feb 19)
    - Re: nmap..... via web ajax (Feb 19)
    - Re: nmap..... via web Simple Nomad (Feb 19)
    - Re: nmap..... via web HD Moore (Feb 19)
    - Re: nmap..... via web ajax (Feb 18)
  - Re: nmap..... via web CyberPsychotic (Feb 18)