Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nmap potentially vulnerable to Windows DLL Hijacking

From: Rob Nicholls <robert () robnicholls co uk>
Date: Tue, 31 Aug 2010 21:21:17 +0100
This is presumably similar to the Wireshark issue:

http://www.exploit-db.com/exploits/14721/
http://www.nessus.org/plugins/index.php?view=single&id=48943

I must admit I was surprised to hear that Nmap tries to load this file
as it's not one that's usually distributed with WinPcap (it's related to
AirPcap, a separate project from CACE Technologies). I presume we can do
something in Nmap to fix/workaround this issue (perhaps copy whatever
the Wireshark developers have done in 1.2.11?).

Rob

On Wed, 1 Sep 2010 00:40:13 +0530 (IST), Nikhil Mittal
<nikhil_uitrgpv () yahoo co in> wrote:

Hi,

I was just checking nmap 5.21 for Windows DLL hijacking and it seems
that nmap is searching for airpcap.dll in "insufficient qualified
path". If I force nmap to open a file from a network share it do try
to load dll from that share, it means it is vulnerable? correct me if
wrong. I am unable to exploit the vulnerability because while
accessing airpcap.dll from network share I can see FAST IO Disallowed
in procmon. I have no idea that whether this is something deliberately
done for some reason for nmap. To sum up: It seems that nmap latest is
vulnerable to Windows DLL Hijacking flaw.

Regards,

Nikhil Mittal




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: