Buffering problems in ssh2.lua

[David Fifield <david () bamsoftware com>]

Hi,

I found a general problem in the ssh2.lua library that manifests itself
as errors in the ssh-hostkey.nse script.

NSE: ssh-hostkey threw an error!
./nselib/ssh2.lua:86: bad argument #2 to 'unpack' (string expected, got nil)
stack traceback:
        [C]: in function 'unpack'
        ./nselib/ssh2.lua:86: in function 'parse_kex_init'
        ./nselib/ssh2.lua:135: in function 'fetch_host_key'
        ./scripts/ssh-hostkey.nse:78: in function
<./scripts/ssh-hostkey.nse:68>
        (tail call): ?

Many others were possible. The problem is that ssh2.lua assumes that
each network read will retrieve an entire SSH-2 packet, not more or
less. It uses code like this:

  status, kexdh_reply = socket:receive_bytes(1)
  kexdh_reply = transport.payload( kexdh_reply )

receive_bytes(1) doesn't receive just 1 byte, it receives at least 1
byte. The problem usually occurs when an SSH-2 packet is split across
two TCP packets. Then the read only gets the first half, and subsequent
operations on the partial packet lead to the crash.

You can reliably reproduce it with this neat Ncat hack:

ncat -l 3000 --sh-exec "ncat scanme.nmap.org 22 | perl -e 'while (sysread(STDIN, \$line, 100)) { syswrite(STDOUT, 
\$line); sleep 1; }'"

The Perl script breaks the TCP stream into packets containing no more
than 100 bytes. Just scan port 3000 on localhost (with version
detection) and it will proxy to port 22 on scanme, the reply broken into
small chunks.

nmap -d -PN -p 3000 -sV --script ssh-hostkey localhost

Does anyone want to try fixing this? There really should be a
read_packet abstraction in the ssh2 library, with an internal buffer
that only returns a packet when it is complete. A description of the
packet format is at http://tools.ietf.org/html/rfc4253#section-6 .

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org