Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

A couple more issues with http.lua

From: Ron <ron () skullsecurity net>
Date: Thu, 20 Aug 2009 10:14:39 -0500
Hi all,

I was getting some weird errors when scanning some SSL-only servers (in
particular, an embedded Arcsight system that runs some form of Apache
Tomcat). I eventually realized it was trying to start a non-SSL
conection on port 443. I traced it back to this code:
--
local function is_ssl(port_number)
    local common_ssl_ports = {465, 989, 990, 992, 993, 994, 995, 587,
6697, 6679, 8443}
...
--

The issue is that "tcp" is given priority over "ssl", since port 443 is
missing from the list, and also that the server responds to a HTTP
request on a HTTPS port with a 400 Bad Request, making Nmap think it
worked. So I added 443 to that list (and I'll commit that change, unless
there's some reason it was left off?), and now I get this error:
--
NSE: http-enum against x.x.x.125:443 threw an error!
./nselib/http.lua:629: attempt to concatenate local 'limit' (a nil
value)
stack traceback:
        ./nselib/http.lua:629: in function 'pipeline'
        ./scripts/http-enum.nse:169: in function
<./scripts/http-enum.nse:42>
        (tail call): ?
--

I traced it back to this line:
--
      if response.header["keep-alive"] then
local max = string.match( response.header["keep-alive"], "max\=(%d*)") 
        return max
      else
        return 40
      end
--

While the server returns this:
--
status-line: HTTP/1.1 404 Not Found
header:
  connection: Keep-Alive
  keep-alive: timeout=15
  date: Thu, 20 Aug 2009 15:07:31 GMT
  content-type: text/html; charset=iso-8859-1
  server: Apache
status: 404
cookies:
body:
--

So, the match is failing and 'nil' is being returned. The fix for it
would be checking if max is nil and returning 40 if it is.
I've made both those changes and tested them against a few known bad systems. They seem to work fine. A diff is attached; let me know if you want me to apply it. 

Ron
(PS: Sorry if the linebreaks get screwed up, I am forwarding this from Outlook)

Attachment: http-ssl-fixes.diff
Description: 


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: