Re: NSE: odd output, testing, etc

["M M" <v4lkyrius () gmail com>]

On Wed, Dec 17, 2008 at 4:20 PM, Brandon Enright <bmenrigh () ucsd edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Patrick, all,
>
> I've recently been helping Ron with extensive testing of his MS RPC/SMB
> scripts and have uncovered some strange output and other NSE oddities.
> I'll describe a few here but I think the best way to get at some of
> these is with back-and-forth email/IM discussion and testing to help
> locate and fix problems.
>
> Here are a few things I think are issues:
>
> * NSE is overly aggressive with parallelism.  It isn't unusual for NSE
>  to report more than 2000 active NSE scripts.  When this happens Lua
>  seems to thrash and NSE scanning slows to a crawl.  I think this has
>  the ability to trigger the "lock, (null), <int>, tcp, ERROR" errors
>  describe below.
>
> * Certain script/Lua problems appear to corrupt the Lua state, causing
>  the NSE scan to fail.  With David's patch to keep the same Lua state
>  so that the registry is maintained between host groups this appears to
>  propagate corruption problems from one NSE scan to the next.  Much
>  more testing is needed to confirm/troubleshoot/fix this.
>
> * Under certain circumstances the NSE Runlevel computation appears to
>  have a divide-by-zero bug causing it to out "SCRIPT ENGINE: Runlevel:
>  inf"
>
> * There seems to be some sort of script deadlocking detection that can
>  output "SCRIPT ENGINE: lock".  It isn't clear what circumstances are
>  required to cause this but I'm not convinced it is always a real
>  deadlock.
>
> * It seems a script with a handle to a mutex won't release it if the
>  script crashes (causing a deadlock).
>
> * Sometimes the script engine will print a series of "SCRIPT ENGINE:
>  (null)" right before the engine completes.
>
> * Sometimes a script will exit and the only output is "SCRIPT ENGINE:
>  tcp".
>
> * Sometimes a script will exit and the only output is "SCRIPT ENGINE:
>  ERROR".
>
> * Sometimes a script will exit and the only output is "SCRIPT ENGINE:
>  <int>" where <int> is typically a small number.  One such example is
>  "SCRIPT ENGINE: 4".

$ find . -print0 | xargs -0 grep "SCRIPT ENGINE"
./nse_macros.h:#define SCRIPT_ENGINE                       "SCRIPT ENGINE"
[...]
$ find . -print0 | xargs -0 grep ", SCRIPT_ENGINE, "
[...]
./nse_main.cc:                                  log_write(LOG_STDOUT,
"%s: %s\n", SCRIPT_ENGINE, errmsg);

> From nse_main.cc:
460                                // this script returned because of an error
461                                // print the failing reason if the
verbose level is high enough
462                                SCRIPT_ENGINE_DEBUGGING(
463                                        const char* errmsg =
lua_tostring(current.thread, -1);
464                                        log_write(LOG_STDOUT, "%s:
%s\n", SCRIPT_ENGINE, errmsg);
465                                )

I think those errors all arise from the same variable, "errmsg".

> Ron's SMB script seem to be a great starting place for finding these
> sorts of errors.  I'd be willing to run special test scripts against
> tens of thousands of hosts or other things that might help track these
> down.
>
> Brandon
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
>
> iEYEARECAAYFAklJbRgACgkQqaGPzAsl94KblQCfXsoy5EVpFnUCnOoM2qZrPTHL
> ZcsAn0FamynA5RzFx8VDR88dk9OM8XRG
> =syKJ
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

I don't understand the internals of nmap NSE myself, but I hope this is helpful.

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org