Nmap Development mailing list archives

Re: Conficker scanning with nmap

From: Ron <ron () skullsecurity net>
Date: Wed, 01 Apr 2009 11:26:25 -0500

David Fifield wrote:

I can reproduce this with OpenSSL 0.9.8e and the attached sample script.
The error only happens for me when encrypting an empty string, not
decrypting one.

I think you're right about where the problem occurs. It could happen
when the server sends a zero-length challenge. The challenge comes from
line 615 of smbauth.lua. It looks like it could be caused by a truncated
packet.

David Fifield


Good to know!

I can probably default the challenge to "AAAAAAAA" or something.. ablank challenge shouldn't happen anyway, it's likely the server wouldignore the answer either way.

I've added a check to my smb.lua class (haven't committed it yet) thatautomatically changes a blank server challenge to 'AAAAAAAA'.

Do we maybe want to add this check deeper, though? Like, inopenssl.encrypt(), do a check on the data + the version and return anerror (or return known bad data) if we end up in the situation?


Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Re: Conficker scanning with nmap Lionel Cons (Apr 01)
- Re: Conficker scanning with nmap Brandon Enright (Apr 01)
  - Re: Conficker scanning with nmap Lionel Cons (Apr 01)
  - Re: Conficker scanning with nmap David Fifield (Apr 01)
    - Re: Conficker scanning with nmap Ron (Apr 01)
    - Re: Conficker scanning with nmap David Fifield (Apr 01)
    - Re: Conficker scanning with nmap Lionel Cons (Apr 02)
    - Re: Conficker scanning with nmap Ron (Apr 02)