Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nmap security audit

From: Solar Designer <solar () openwall com>
Date: Sat, 18 Jul 2009 19:53:43 +0400
On Sat, Jul 18, 2009 at 11:24:47AM -0400, Michael Pattrick wrote:

In ncat --chat no control characters are printed:
ncatbroker.c(494): if (isprint(*p) || *p == '\r' || *p == '\n' || *p == '\t') {


Great!

The above is still a bit risky, though:

1. It is affected by the issue I mentioned in the "Nmap uses ctype
macros improperly" posting earlier today.  "p" is declared as follows:

    const char *p;

so it is typically signed.  When there's no workaround in libc,
isprint() may return non-zero for 8-bit chars, including in the 8-bit
controls range (0x80 through 0x9f, of which the worst is CSI at 0x9b).
Also, it may result in undefined behavior, including returning non-zero
on some or all chars, with that "Alpha issue" I mentioned.

2. This trusts the locale.  While this makes sense, you need to realize
that the locale may be based on one's preferences (language, etc.), not
the terminal they use at the moment.  Unfortunately, there exist 8-bit
character encodings that treat the 8-bit terminal controls range as
printable.  There's no perfect way to deal with this problem - it's a
tradeoff.  What's worse, there also exist buggy locales that declare the
8-bit controls as printable even for character encodings not requiring
that (I found some of these in glibc some years ago, we're mass-patching
them in Owl... sorry, I never bothered to report upstream, my fault).
BTW, right now Ncat does not appear to initialize the locale (at least
my quick grep did not find that), so this should be the C locale, which
should hopefully be safe (but this means that the chat won't work for
any 8-bit chars, including safe ones, as long as the C locale is
correctly defined).


But as far as I can tell this doesn't apply to any other mode, perhaps
ncat should support a 'text only' option, where only printable
characters and periods are printed.


Yes, maybe.  Also, the risk may need to be documented.

Thanks,

Alexander

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: