Re: Always practice safe software: a lesson from UnrealIRCd

[Ron <ron () skullsecurity net>]

On Fri, 18 Jun 2010 14:09:21 -0600 David Fifield
<david () bamsoftware com> wrote:
> Hey guys, this script looks really good. However I found it gives a
> lot of false positives when many instances of the script are run,
> because the timer is started before the socket is connected, and the
> script may block waiting for the socket. I ran against the 592
> addresses from http://seclists.org/nmap-dev/2010/q2/830.
>
> nmap --datadir . -p 6666,6667 -iL unreal.nmap -d
> --script=irc-unrealircd-backdoor.nse
>
> It's clear what's happening in the output:
>
> NSE: irc-unrealircd-backdoor: Received a response to our command in 2
> seconds NSE: irc-unrealircd-backdoor: The Trojanned version of
> unrealircd probably isn't ...
> NSE: irc-unrealircd-backdoor: Received a response to our command in
> 37 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned
> unrealircd is running! NSE: Finished irc-unrealircd-backdoor against
> 213.232.94.72:6667. NSE: irc-unrealircd-backdoor: Received a response
> to our command in 38 seconds NSE: irc-unrealircd-backdoor: Looks like
> the Trojanned unrealircd is running! NSE: Finished
> irc-unrealircd-backdoor against 213.186.37.193:6667. NSE:
> irc-unrealircd-backdoor: Received a response to our command in 38
> seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned
> unrealircd is running! NSE: Finished irc-unrealircd-backdoor against
> 89.105.117.89:6667. NSE: irc-unrealircd-backdoor: Received a response
> to our command in 38 seconds NSE: irc-unrealircd-backdoor: Looks like
> the Trojanned unrealircd is running! NSE: Finished
> irc-unrealircd-backdoor against 12.96.164.10:6667. NSE:
> irc-unrealircd-backdoor: Receive failed: TIMEOUT ... NSE:
> irc-unrealircd-backdoor: Received a response to our command in 222
> seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned
> unrealircd is running! NSE: Finished irc-unrealircd-backdoor against
> 171.25.159.12:6666.
>
> I think it will work if you start the timer after the call to
> comm.tryssl, not before.
>
> I also saw this error at least three times:
>
> NSE: irc-unrealircd-backdoor against 209.126.180.156:6666 threw an
> error! ./scripts/irc-unrealircd-backdoor.nse:105: attempt to
> concatenate local 'response' (a nil value) stack traceback:
>         ./scripts/irc-unrealircd-backdoor.nse:105: in function
> <./scripts/irc-unrealircd-backdoor.nse:55> (tail call): ?
>
> Other addresses where it happened were 66.235.194.60:6667 and
> 118.98.162.85:6667.
>
> If you can run this same test and make it work, then please go ahead
> and commit the script.
>
> David Fifield
You're suggestion of starting the timer after comm.tryssl() is a good one, but I'm not sure it'll solve the problem. I 
don't understand how lua threads work, so Patrick or others can correct me if I'm wrong, but I'm assuming that as soon 
as I do a send() or receive() my script relinquishes its timeslice and others have a chance to run. As a result, won't 
we still run into the same issue?

I could be mistaken, please let me know if I am. 

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86

Attachment: _bin
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/