Weird verbosity effect with nse_selectedbyname and post-scanning

[David Fifield <david () bamsoftware com>]

Hi,

I've just discovered that the message "NSE: Script Post-scanning.",
which is only supposed to be printed in verbose mode, can be printed
without verbose mode.

$ ./nmap --datadir . --script http-php-version scanme.nmap.org -p80

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-10 14:00 MDT
Nmap scan report for scanme.nmap.org (64.13.134.52)
Host is up (0.066s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-php-version: Logo query returned unknown hash b2a24d35ffb001ed815a41578134bd46
|_Credits query returned unknown hash b2a24d35ffb001ed815a41578134bd46

NSE: Script Post-scanning.
Nmap done: 1 IP address (1 host up) scanned in 8.94 seconds

The secret is in the extra verbosity boost that scripts selected by name
get. The code calls nse_selectedbyname in nse_nmaplib.cc to see if a
script was selected by name, and increases the verbosity level by one if
it is. nse_selectedbyname calls _R[SELECTED_BY_NAME] in nse_main.lua,
which is

  _R[SELECTED_BY_NAME] = function()
    return current and current.selected_by_name;
  end

My guess is that after the normal script scanning is completed, current
is set to the http-php-version instance. Even though nmap.verbosity is
being called on behalf of the scripting engine, not a script, it still
gets a verbosity boost.

Does someone have a proposed solution to this? Set current to nil after
a round of script scanning? It might still cause a problem when the
engine calls verbosity in the middle of a round. Use a separate
verbosity function for the engine?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/