Nmap Development mailing list archives
Re: [nmap-svn] r23266 - in nmap: . nselib scripts
From: David Fifield <david () bamsoftware com>
Date: Mon, 23 May 2011 15:05:16 -0700
On Mon, May 23, 2011 at 02:43:47PM -0700, commit-mailer () insecure org wrote:
Author: batrick Date: Mon May 23 14:43:46 2011 New Revision: 23266 Log: Set the math.randomseed value in nse_main.lua on behalf of scripts. Since Lua uses the C rand and srand functions, which have a static seed for the entire program, we don't want scripts doing this themselves. Modified: nmap/nse_main.lua nmap/nselib/mssql.lua nmap/nselib/rpc.lua nmap/nselib/sip.lua nmap/nselib/tns.lua nmap/scripts/dhcp-discover.nse nmap/scripts/dns-fuzz.nse nmap/scripts/nping-brute.nse nmap/scripts/oracle-enum-users.nse nmap/scripts/sip-brute.nse nmap/scripts/smb-brute.nse nmap/scripts/smb-psexec.nse Modified: nmap/nse_main.lua ============================================================================== --- nmap/nse_main.lua (original) +++ nmap/nse_main.lua Mon May 23 14:43:46 2011 @@ -96,6 +96,12 @@ local math = require "math"; local max = math.max; +-- Due to heap randomization (on most Operating Systems), we can use a +-- Lua function address as a good seed for the C srand function. If there +-- is no heap randomization, it's still a decently random integer; that is, +-- it's no better or worse than os.time(). +math.randomseed(tonumber(tostring(function() end):match("function: (0x%x+)"))); +
This is a good idea, to centralize the seeding. But I'm a bit worried that an attacker could observe the numbers produced by NSE, invert the generator, and learn an address in Nmap's memory space to defeat ASLR. Could we use for example get_random_uint from Nbase instead? That's ultimately seeded by /dev/urandom. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [nmap-svn] r23266 - in nmap: . nselib scripts David Fifield (May 23)
- Re: [nmap-svn] r23266 - in nmap: . nselib scripts Patrick Donnelly (May 23)
- Re: [nmap-svn] r23266 - in nmap: . nselib scripts Patrick Donnelly (May 23)
- Re: [nmap-svn] r23266 - in nmap: . nselib scripts Patrick Donnelly (May 23)