Nmap Development mailing list archives
Re: Conficker scanning with nmap
From: David Fifield <david () bamsoftware com>
Date: Wed, 1 Apr 2009 11:05:19 -0600
On Wed, Apr 01, 2009 at 11:26:25AM -0500, Ron wrote:
David Fifield wrote:I can reproduce this with OpenSSL 0.9.8e and the attached sample script. The error only happens for me when encrypting an empty string, not decrypting one. I think you're right about where the problem occurs. It could happen when the server sends a zero-length challenge. The challenge comes from line 615 of smbauth.lua. It looks like it could be caused by a truncated packet.I can probably default the challenge to "AAAAAAAA" or something.. a blank challenge shouldn't happen anyway, it's likely the server would ignore the answer either way. I've added a check to my smb.lua class (haven't committed it yet) that automatically changes a blank server challenge to 'AAAAAAAA'. Do we maybe want to add this check deeper, though? Like, in openssl.encrypt(), do a check on the data + the version and return an error (or return known bad data) if we end up in the situation?
I think we should just avoid calling EVP_EncryptUpdate when data_len == 0. That's what the patch that Lionel found does, just bails out if the length is <= 0. http://cvs.openssl.org/filediff?f=openssl/crypto/evp/evp_enc.c&v1=1.45&v2=1.46 However we probably need to make the other calls (EVP_EncryptInit_ex, EVP_CIPHER_CTX_set_padding, EVP_EncryptFinal_ex), as they might be necessary for some ciphers. Encrypting the empty string may still require writing an initialization vector or something like that. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: Conficker scanning with nmap Lionel Cons (Apr 01)
- Re: Conficker scanning with nmap Brandon Enright (Apr 01)
- Re: Conficker scanning with nmap Lionel Cons (Apr 01)
- Re: Conficker scanning with nmap David Fifield (Apr 01)
- Re: Conficker scanning with nmap Ron (Apr 01)
- Re: Conficker scanning with nmap David Fifield (Apr 01)
- Re: Conficker scanning with nmap Lionel Cons (Apr 02)
- Re: Conficker scanning with nmap Ron (Apr 02)
- Re: Conficker scanning with nmap Brandon Enright (Apr 01)