Nmap Development mailing list archives

[PATCH]+[NSE Script] DNS open recursion (CVE-1999-0024)

From: Felix Groebert <felix () groebert org>
Date: Fri, 18 Aug 2006 16:26:02 +0200

Hi,

I just finished a NSE to test whether a Nameserver resolves a query
recursive. I ran into some problems writing the NSE, mainly due to my
lack of experience with lua.

I patched NSE 4.20ALPHA4 with a patch from the lua-users mailinglist
to support bitwise operations. I did not review the license (probably
same as lua) or the security of the patch[3].
The dns-test-open-recursion.lua script requires the patch. See [1] for
patches and downloads.


Some thoughts on NSE:
- Maybe I missed something in the lua docs, but the best way I
  found to construct binary packets using hexadecimal values was
    string.char(0x04, 0x05).
  An API function which produces a binary string from a hexdump
  like "AC 1D DE AD" might be handy.

  Also an API functions for debugging messages and bitwise operations
  would be nice.

- The script-trace option needs support for unprintable
  characters. I would suggest a mixed output like "ACID\xba\xbe\x01"
  instead of a dual hex-ascii output seen in hexdump.

- A references lua table for CVE, BID, YATID, OSVDBID might be
  good. Full bug descriptions, like in nasl files, are redundant
  information for most nmap hackers (;

- Filename naming guidelines

- NSE is a very cool feature, I really like it <:


Some questions:
- Is it possible to generate lua from perl or python?
  Although this would not help with socket operations, it might
  help some developers getting started with lua and string operations
- I am currently hacking fpdns.pl[2] to output its database and a NSE
  script using the database

    "fpdns.pl is a program that remotely determines DNS server
    versions. It does this by sending a series of borderline DNS
    queries which are compared against a table of responses and
    server versions."
  
  I must admit that I am not quite sure if this is wanted. On the one
  hand -sV supports Nameserver version detection, but on the other the
  fpdns detection is also very good. Unix tradition shows that many
  good tools do a good job. I also do not want that nmap `eats` the
  fpdns project or that NSE `eats` the nmap service detection.
  Any advise?

[1]
http://groebert.org/felix/pub/nmap/nmap-4.20ALPHA4-NSE-bitops.patch
http://groebert.org/felix/pub/nmap/dns-test-open-recursion.lua
http://groebert.org/felix/pub/nmap/

[2] http://www.rfc.se/fpdns/

[3]
http://lua-users.org/lists/lua-l/2006-06/msg00350.html
http://lua-users.org/lists/lua-l/2006-06/gzvGlPinly6j.gz

Cheers,
-- 
 Felix Groebert  <>  groebert.org/felix  <>  GPG key: 6556DA11

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[PATCH]+[NSE Script] DNS open recursion (CVE-1999-0024) Felix Groebert (Aug 18)
- Re: [PATCH]+[NSE Script] DNS open recursion (CVE-1999-0024) Kevin Johnson (Aug 18)
- Re: [PATCH]+[NSE Script] DNS open recursion (CVE-1999-0024) Diman Todorov (Sep 05)
- Re: [PATCH]+[NSE Script] DNS open recursion (CVE-1999-0024) Diman Todorov (Sep 09)