Re: [NSE] Yet another SMB version!

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 21 Oct 2008 10:38:30 -0500
Ron <ron () skullsecurity net> wrote:

> Other than that, I hope some of you give it a try and report
> problems! I want to commit this code as soon as I can, but it's such
> a big change that I want to get some independent verification that it
> works!

I've run into what looks like an integer overflow/underflow in
msrpc.lua:unicode_to_string().

A handful of the hosts I'm scanning cause the script engine to spit out
these errors:

SCRIPT ENGINE: /usr/share/nmap/nselib/msrpc.lua:139: bad argument #1 to 'char' (number expected, got nil)

I turned on high debugging and here is the output leading up to one of
them:

SCRIPT ENGINE DEBUG: MSRPC: LsarLookupSids2() returned successfully
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 45, length = 2)
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 201, length = 44)
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 301, length = 14)
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 341, length = 44)
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 441, length = 44)
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 541, length = 44)
SCRIPT ENGINE DEBUG: MSRPC: Calling LsarLookupSids2()
SCRIPT ENGINE DEBUG: Sending SMB_COM_TRANSACTION
SCRIPT ENGINE DEBUG: Sending SMB packet (len: 338)
SCRIPT ENGINE DEBUG: Received 764 bytes from SMB
SCRIPT ENGINE DEBUG: MSRPC: LsarLookupSids2() returned successfully
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 45, length = 83886080)
SCRIPT ENGINE: /usr/share/nmap/nselib/msrpc.lua:139: bad argument #1 to 'char' (number expected, got nil)


It looks to me like unicode_to_string() accidentally walked off the end
of the string and the length computation wrapped.

Once this happens, NSE appears to get stuck in a loop:

SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:46 (0:00:15 remaining)
SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:47 (0:00:31 remaining)
SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:48 (0:00:47 remaining)
SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:49 (0:01:03 remaining)
SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:49 (0:01:19 remaining)
SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:50 (0:01:35 remaining)
SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:51 (0:01:51 remaining)

The trouble with NSE debug output is that there isn't a way to tell
what output goes to what thread/host/port.  It would be nice to tag the
output with a thread number so that we can at least tell what output is
from the same thread.  I'm thinking something like:

SCRIPT ENGINE DEBUG[1]: MSRPC: Entering unicode_to_string(pos = 441, length = 44)
SCRIPT ENGINE DEBUG[1]: MSRPC: Entering unicode_to_string(pos = 541, length = 44)
SCRIPT ENGINE DEBUG[2]: MSRPC: Calling LsarLookupSids2()
SCRIPT ENGINE DEBUG[3]: Sending SMB_COM_TRANSACTION
SCRIPT ENGINE DEBUG[1]: MSRPC: Entering unicode_to_string(pos = 45, length = 83886080)

Something even more unique than thread number would be preferable, if a
bit verbose.

Also, a few comments on your debugging output.  For -d and -d2 the
output is phenomenal.  Very valuable information.  I think needing -d5
to see *all* the output is excessive.  Perhaps you'd be willing to
collapse all the -d5 output into the -d3 output?

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkj+UCcACgkQqaGPzAsl94I6CwCfbw8F/8GE9Yvv2Jzy9eHRGVFW
BHoAnRMpCx/PdljZbtneJCjO95e+z2RT
=WzxX
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org