Re: -sV crash in $# substitution function substvar()

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 21 Jul 2007 15:02:59 -0700 plus or minus some time doug () hcsw org
wrote:

> Hi Brandon!
>
> Thanks for the bug report! This is indeed a strange one. I checked
> out the service match lines that should match your application and
> it looks like they are buggy!

Stupid me to just assume it was a problem in the code.  I stared at the
source for over an hour trying to figure it out.  I should have at least
*looked* at the match line.

> On the line in the probes file:
>
> match rtsp m|^RTSP/1\.0 \d\d\d .*\r\nServer: Helix (:?DNA )?Server
> Version ([\d.]+) \(linux-[^)\r\n]+\)|s p/Helix DNA Server/ v/$1/ o/Linux/
>
> Could you change (:?DNA )? to [\w ]+ and see if it fixes your crash?
> I've changed the corresponding line in the soc07 SVN branch if you'd
> rather try that version.

I went ahead and changed '(:?DNA )?' to non-capturing parenthesis,
'(?:DNA )?' instead of [\w ]+.  Either one fixes the problem but I think
leaving DNA in there is probably a good idea if future names come along.

> Non-capturing clustering is done incorrectly in that match line. Oops,
> probably my fault! What's strange is that the 2 submissions for this
> service seem to match OK with my scripts before even applying the fix.
>
> Thanks!
>
> Doug

While we're on the topic of match-line bugs, I noticed this one often
matches too much and throws a warning:

match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+) ([^\r\n]+)|s
p/A\ pache httpd/ v/$1/ i/$2/

Warning: Servicescan failed to fill info_template (subjectlen: 2566). Too
long? Match string was line 3145: v/Apache httpd/$1/$2

To solve this, I split it into two match lines, one that tries to get extra
info for i/$2/ (up to 30 chars) and one that just matches the service:

match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+)
([^\r\n]{1,30})[\ \r\n]|s p/Apache httpd/ v/$1/ i/$2/

match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+)|s p/Apache
httpd\ / v/$1/

If you are interested in the banner being returned to cause the waring in
the first place I'm sure I could use --version-trace and figure it out.
Let me know and I'll work on it.

Brandon


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGopAuqaGPzAsl94IRAl+rAJ9J1CjONm53JcKfruy7j8C+kO04jACdE4EL
+f0p9MRBEyLWj0bbhjUvqVw=
=n1l/
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org