Nmap Development mailing list archives

Re: Errors with -sV and -PE using IPv6

From: Will Cladek <william.cladek () nrl navy mil>
Date: Wed, 09 Jan 2008 12:49:58 -0500

After breaking out my rusty programming skills, I figured out what was causing the seg fault with the -sV option in 
IPv6.  It's the following code in scan_engine.cc, starting at line 5101, and then the same code again at 5129:

                if (send_rpc_query(target->v4hostip(), rsi.rpc_current_port->portno,
                                   rsi.rpc_current_port->proto,
                                   current->portno, current - scan,
                                   current->trynum) == -1) {
                  /* Futz, I'll give up on this guy ... */
                  rsi.rpc_status = RPC_STATUS_NOT_RPC;
                  break;
                }

The function send_rpc_query in scan_nmap.cc receives the pointer returned by target->v4hostip() from the call above, 
and dereferences it a few times without checking for it to be non-NULL.  In the case of scanning an IPv6 host, that 
value will be NULL and thus cause a seg fault when dereferenced.  My quick-fix is just to change the beginning of that 
if-statement to:

            if (!target->v4hostip() || send_rpc_query(...

so that it won't even attempt to send an RPC query if there is no v4 address.

Not to do an incomplete job of this, but I'm not familiar enough with this stuff to make a proper patch to allow it to 
send RPC queries to v6 hosts as well.  I'll look into it more eventually, if someone doesn't beat me to it, but until 
then this suits my v6 version scanning needs.

-Will


Will Cladek wrote:

A couple of problems I've noticed with nmap 4.52 compiled on a Red Hat 4 
x86_64 machine, scanning IPv6 hosts:

1.  When giving it the -PE option, the following error message comes up:

nmap: tcpip.cc:931: pcap_t* my_pcap_open_live(const char*, int, int, 
int): Assertion `device != __null' failed.

I'm guessing ICMP ping host discovery still isn't supported with IPv6, 
but there should probably be a more useful error message.  Previously, I 
believe no error was generated at all -- it simply didn't do an ICMP ping.

2.  When scanning certain systems with version detection (-sV), certain 
hosts cause nmap to simply give a Segmentation Fault error and exit.  
Specifically, this seems to happen when scanning Solaris hosts.

Has anyone else experienced these problems with IPv6 scanning?

Thanks,

Will


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Errors with -sV and -PE using IPv6 Will Cladek (Jan 04)
- Re: Errors with -sV and -PE using IPv6 Will Cladek (Jan 09)
  - Re: Errors with -sV and -PE using IPv6 Fyodor (Jan 12)
    - Re: Errors with -sV and -PE using IPv6 Kris Katterjohn (Jan 12)
    - Re: Errors with -sV and -PE using IPv6 Will Cladek (Jan 14)
    - Re: Errors with -sV and -PE using IPv6 Kris Katterjohn (Jan 14)