Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Error in nselib/dns.lua (I think)

From: Eugene Alexeev <eugene.alexeev () gmail com>
Date: Fri, 9 Apr 2010 16:12:47 -0600
Gents,

I made a quick post on this yesterday, and spent the last couple of hours
making sure that I was not mistaken.  I'd really like to get something in
terms of feedback, it makes no difference to me if its a yay or  a nay, but
I'd like to get a second set of eyes on this please.

nselib/dns.lua line # 110 currently reads "if #rPkt.answers[1].dtype ==
types.CNAME then".  When I perform a nselib/dns ->
query(#,#,tries=0,norecurse=true) on a server that returns a single CNAME as
the answer, the following exception is
thrown:

Initiating NSE at 16:01
NSE: NSE Script Threads (1) running:
NSE: Starting 'dns-cache-snoop' (thread: 0x1f5fd30) against 192.168.1.11:53.
NSE: Performing a non-recursive query for mail.google.com
NSE: pkt.answers[1].dtype is a (type) of: number
NSE: mail.google.com was in the DNS cache.
NSE: Performing a non-recursive query for gmail.com
NSE: dns.query() failed to resolve the requested query: gmail.com
NSE: gmail.com was not in the DNS cache
NSE: Performing a non-recursive query for mail.yahoo.com
NSE: pkt.answers[1].dtype is a (type) of: number
NSE: 'dns-cache-snoop' (thread: 0x1f5fd30) against 192.168.1.11:53 threw an
error!
/home/ealexeev/local/share/nmap/nselib/dns.lua:110: attempt to get length of
field 'dtype' (a number value)
stack traceback:
    /home/ealexeev/local/share/nmap/nselib/dns.lua:110: in function
'getAuthDns'
    /home/ealexeev/local/share/nmap/nselib/dns.lua:205: in function 'query'
    ...cal/share/nmap-5.30BETA1/scripts/dns-cache-snoop.nse:159: in function
'NoRecursionDnsQuery'
    ...cal/share/nmap-5.30BETA1/scripts/dns-cache-snoop.nse:262: in function
<...cal/share/nmap-5.30BETA1/scripts/dns-cache-snoop.nse:229>
    (tail call): ?

The extra debug messages in the format of NSE: pkt.answers[1].dtype is a
(type) of: x are due to extra debugging code I added to nselib/dns.lua at
line 990:

   if pkt.answers[1] ~= nil and pkt.answers[1].dtype ~= nil then
      stdnse.print_debug("pkt.answers[1].dtype is a (type) of: %s",
type(pkt.answers[1].dtype))
   end

As you can see, pkt.answers[1].dtype appears to always be a number, so the
"#" in line 110 does not make sense.  The dtype of any pkt.answers|options
as defined by this library should always be a number as shown by the
conversion from a string to a number prior to encoding on lines 157-159.  I
have removed the # from line 110 and confirmed that everything appears to
work as expected, but don't have enough knowledge to do any meaningful
regression testing.

If someone could spare a few minutes to take a look at this, it would be
greatly appreciated.  I can provide the .pcap log of the above transaction
if that would be helpful.

Also, what is the process for submitting a new NSE script for review?  I've
written a script that leverages the dns library and would like to submit it
after it's testing is done.

If there is another process for submitting this potential bug, I'm all
ears...

Eugene
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: