Re: Conficker scanning with nmap

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 31 Mar 2009 13:53:41 -0500
"Sean Wiese" <Sean.Wiese () nisc coop> wrote:

> Brandon,
>
> Thanks for your post and your attention to this.  I have been scanning
> various subnets, all working fine, but one subnet in particular
> returns this result:
>
>  "evp_enc.c(282): OpenSSL internal error, assertion failed: inl > 0
>
> aborted"
>
> ideas on what is triggering this?

Sean,

Several people have reported that issue to me.  I haven't (and I don't
think any other dev) has had time to really look into the issue.  One
person generously provided a backtrace for me.

Can you provide more details about the system you're on?  What version
of OpenSSL are you running?  What distro are you on?  Did you build
Nmap from the tarball or install it via RPM?

Here's the last part of the output from NMAP:

NSE: SMB: Sending SMB_COM_SESSION_SETUP_ANDX
NSE: SMB: Couldn't find a username to use, not logging in
NSE: SMB: Couldn't find domain to use, using blank
NSE: SMB: Using default logon type: ntlm
NSE: SMB: Using default logon type: ntlm
NSE: SMB: Sending SMB_COM_SESSION_SETUP_ANDX
NSE: SMB: Couldn't find a username to use, not logging in
NSE: SMB: Couldn't find domain to use, using blank
NSE: SMB: Using default logon type: ntlm
NSE: SMB: Using default logon type: ntlm
NSE: SMB: Using password/hash passed as a parameter (username = 'guest')
NSE: SMB: Lanman hash: aad3b435b51404eeaad3b435b51404ee
NSE: SMB: NTLM   hash: 31d6cfe0d16ae931b73c59d7e0c089c0
NSE: SMB: Creating NTLMv1 response
evp_enc.c(282): OpenSSL internal error, assertion failed: inl > 0

And here's the gdb backtrace output

Core was generated by `/usr/local/bin/nmap -sC --script=smb-check-vulns
- --script-args=safe=1 -p445 -d2'.
Program terminated with signal 6, Aborted.
[New process 10375]
#0  0xb800d416 in __kernel_vsyscall ()
Missing separate debuginfos, use: debuginfo-install e2fsprogs.i386 gcc.i386
glibc.i686 keyutils.i386 krb5.i386 libselinux.i386 openssl.i686 zlib.i386
(gdb) bt
#0  0xb800d416 in __kernel_vsyscall ()
#1  0x0082a660 in raise () from /lib/libc.so.6
#2  0x0082c028 in abort () from /lib/libc.so.6
#3  0x03192c5a in OpenSSLDie () from /lib/libcrypto.so.7
#4  0x031f7cb0 in EVP_EncryptUpdate () from /lib/libcrypto.so.7
#5  0x080c1544 in ?? ()
#6  0x080efbe3 in ?? ()
#7  0x09709db0 in ?? ()
#8  0x0965e8f0 in ?? ()
#9  0xbff08008 in ?? ()
#10 0x080f7f49 in ?? ()
#11 0x096772f0 in ?? ()
#12 0x00000408 in ?? ()
#13 0xbff08008 in ?? ()
#14 0x080f7be5 in ?? ()
#15 0x096772f0 in ?? ()
#16 0x0963fae8 in ?? ()
#17 0x0965e8f0 in ?? ()
#18 0x09382868 in ?? ()
#19 0x0963fae8 in ?? ()
#20 0x09709db0 in ?? ()
#21 0x096774d8 in ?? ()
#22 0x00000001 in ?? ()
#23 0x09643614 in ?? ()
#24 0x09382868 in ?? ()
#25 0xbff080a8 in ?? ()
#26 0x080f9010 in ?? ()
#27 0x09709db0 in ?? ()
#28 0x09382868 in ?? ()
#29 0x00000001 in ?? ()
#30 0x09382868 in ?? ()
#31 0x092d3eb8 in ?? ()
#32 0x097c5848 in ?? ()
#33 0x092cd810 in ?? ()
#34 0x00966140 in ?? () from /lib/libc.so.6
#35 0x092ac7b0 in ?? ()
#36 0x09644d40 in ?? ()
#37 0x000a0209 in ?? ()
#38 0x093827fc in ?? ()
#39 0x0963fa28 in ?? ()
#40 0x09643614 in ?? ()
#41 0x09382868 in ?? ()
#42 0x0976acf8 in ?? ()
#43 0x093827f0 in ?? ()
#44 0x092cd810 in ?? ()
#45 0x00000102 in ?? ()
#46 0x00000000 in ?? ()


I think what this is telling us is that the OpenSSL routines Ron uses
to do the NTLM crypto work are failing on us.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)

iEYEARECAAYFAknSnhgACgkQqaGPzAsl94KfdwCbBoY5gkzyhS/LT5n3J0HljckZ
oXQAoLJMR5MQnYrSXuF74CbeUar2zspG
=VPuY
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org