Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Conficker scanning with nmap

From: David Fifield <david () bamsoftware com>
Date: Wed, 1 Apr 2009 09:17:25 -0600
On Wed, Apr 01, 2009 at 08:41:17AM +0000, Brandon Enright wrote:

Brandon Enright <bmenrigh () ucsd edu> writes:

evp_enc.c(282): OpenSSL internal error, assertion failed: inl > 0


I managed to isolate the problem. It lies in nse_openssl.cc, in the
function l_encrypt which is sometimes called with an empty string.
In this case, data_len is 0 and the following:

  EVP_EncryptUpdate( &cipher_ctx, out, &out_len, data, data_len )

triggers the fatal error from OpenSSL:

  evp_enc.c(261): OpenSSL internal error, assertion failed: inl > 0

Cheers,

Lionel


Excellent digging.  I'll probably be able to work backwards from here
to figure out why tomorrow.

I'm assuming that the error is triggered in "NSE: SMB: Creating NTLMv1
response".  Ron might be able to think of a case where this would happen too.


I can reproduce this with OpenSSL 0.9.8e and the attached sample script.
The error only happens for me when encrypting an empty string, not
decrypting one.

I think you're right about where the problem occurs. It could happen
when the server sends a zero-length challenge. The challenge comes from
line 615 of smbauth.lua. It looks like it could be caused by a truncated
packet.

David Fifield

Attachment: ssl-test.nse
Description: 


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: