Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Bug (short read) in pop3-capabilities.nse

From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 15 Jun 2012 20:34:05 +0200
On Mon, Jun 11, 2012 at 6:04 PM, Daniel Miller <bonsaiviking () gmail com>wrote:


Hey list,

I would have reported this with a patch, but I never quite got the hang of
reading from sockets in NSE scripts :(

When scanning one of the alexa top 1m hosts via IPv6, ran across this
exception:


NSOCK (0.8110s) TCP connection requested to 2a01:4f8:121:1262::2:110 (IOD
#1) EID 8
NSOCK (0.9530s) Callback: CONNECT SUCCESS for EID 8
[2a01:4f8:121:1262::2:110]
NSE: TCP XXXX:42686 > 2a01:4f8:121:1262::2:110 | CONNECT
NSOCK (0.9530s) Read request from IOD #1 [2a01:4f8:121:1262::2:110]
(timeout: 10000ms) EID 18
NSOCK (1.0920s) Callback: READ SUCCESS for EID 18
[2a01:4f8:121:1262::2:110] (76 bytes): +OK CommuniGate Pro POP3 Server
5.2.20 ready <14999.1339429588 () aenigma gr>.**.
NSE: TCP XXXX:42686 < 2a01:4f8:121:1262::2:110 | +OK CommuniGate Pro POP3
Server 5.2.20 ready <14999.1339429588 () aenigma gr>

NSE: TCP XXXX:42686 > 2a01:4f8:121:1262::2:110 | 00000000: 43 41 50 41 0d
0a                               CAPA

NSOCK (1.0930s) Write request for 6 bytes to IOD #1 EID 27
[2a01:4f8:121:1262::2:110]: CAPA..
NSOCK (1.0930s) Callback: WRITE SUCCESS for EID 27
[2a01:4f8:121:1262::2:110]
NSE: TCP XXXX:42686 > 2a01:4f8:121:1262::2:110 | SEND
NSOCK (1.0940s) Read request from IOD #1 [2a01:4f8:121:1262::2:110]
(timeout: 10000ms) EID 34
NSOCK (1.2320s) Callback: READ SUCCESS for EID 34
[2a01:4f8:121:1262::2:110] (29 bytes): +OK capability list follows..
NSE: TCP XXXX:42686 < 2a01:4f8:121:1262::2:110 | 00000000: 2b 4f 4b 20 63
61 70 61 62 69 6c 69 74 79 20 6c +OK capability l
00000010: 69 73 74 20 66 6f 6c 6c 6f 77 73 0d 0a          ist follows

NSE: 'pop3-capabilities' (thread: 0x8ba8468) against
2a01:4f8:121:1262::2:110 threw an error!
./nselib/pop3.lua:173: bad argument #2 to 'sub' (number expected, got nil)
stack traceback:
       [C]: in function 'sub'
       ./nselib/pop3.lua:173: in function 'capabilities'
       ./scripts/pop3-capabilities.**nse:30: in function
<./scripts/pop3-capabilities.**nse:29>
       (...tail calls...)



I checked manually, and this is the response I get:


ncat -vvv -6 freestuff.gr 110
Ncat: Version 6.01 ( http://nmap.org/ncat )
NSOCK (0.0110s) TCP connection requested to 2a01:4f8:121:1262::2:110 (IOD
#1) EID 8
NSOCK (0.1550s) Callback: CONNECT SUCCESS for EID 8
[2a01:4f8:121:1262::2:110]
Ncat: Connected to 2a01:4f8:121:1262::2:110.
NSOCK (0.1560s) Read request from IOD #1 [2a01:4f8:121:1262::2:110]
(timeout: -1ms) EID 18
NSOCK (0.1560s) Read request for 0 bytes from IOD #2 (peer unspecified)
EID 26
NSOCK (0.2970s) Callback: READ SUCCESS for EID 18
[2a01:4f8:121:1262::2:110] (76 bytes)
+OK CommuniGate Pro POP3 Server 5.2.20 ready <15001.1339430446 () aenigma gr



NSOCK (0.2970s) Read request for 0 bytes from IOD #1
[2a01:4f8:121:1262::2:110] EID 34
CAPA
NSOCK (5.0260s) Callback READ SUCCESS for EID 26 (peer unspecified) (5
bytes)
NSOCK (5.0260s) Write request for 5 bytes to IOD #1 EID 43
[2a01:4f8:121:1262::2:110]
NSOCK (5.0260s) Callback: WRITE SUCCESS for EID 43
[2a01:4f8:121:1262::2:110]
NSOCK (5.0260s) Read request for 0 bytes from IOD #2 (peer unspecified)
EID 50
NSOCK (5.1690s) Callback: READ SUCCESS for EID 34
[2a01:4f8:121:1262::2:110] (29 bytes)
+OK capability list follows
NSOCK (5.1690s) Read request for 0 bytes from IOD #1
[2a01:4f8:121:1262::2:110] EID 58
NSOCK (5.3090s) Callback: READ SUCCESS for EID 58
[2a01:4f8:121:1262::2:110] (129 bytes)
SASL LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI MSN NTLM
STLS
LAST
TOP
USER
PIPELINING
UIDL
IMPLEMENTATION CommuniGatePro
.
NSOCK (5.3090s) Read request for 0 bytes from IOD #1
[2a01:4f8:121:1262::2:110] EID 66
QUIT
NSOCK (8.9930s) Callback READ SUCCESS for EID 50 (peer unspecified) (5
bytes)
NSOCK (8.9930s) Write request for 5 bytes to IOD #1 EID 75
[2a01:4f8:121:1262::2:110]
NSOCK (8.9940s) Callback: WRITE SUCCESS for EID 75
[2a01:4f8:121:1262::2:110]
NSOCK (8.9940s) Read request for 0 bytes from IOD #2 (peer unspecified)
EID 82
NSOCK (9.1400s) Callback: READ SUCCESS for EID 66
[2a01:4f8:121:1262::2:110] (51 bytes)
+OK CommuniGate Pro POP3 Server connection closed
NSOCK (9.1400s) Read request for 0 bytes from IOD #1
[2a01:4f8:121:1262::2:110] EID 90
NSOCK (9.1400s) Callback: READ EOF for EID 90 [2a01:4f8:121:1262::2:110]
Ncat: 10 bytes sent, 285 bytes received in 9.15 seconds.
NSOCK (9.1400s) Callback: READ KILL for EID 82 (peer unspecified)



As you can see from the debug output, the response is sent in a separate
packet from the "status line", so the pop3 library needs to keep reading
until a "." is seen.

Dan
______________________________**_________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev>
Archived at http://seclists.org/nmap-dev/



Thanks for reporting this. I took a stab at it and ended up re-writing
quite a bit of the code in both the pop3 library and the script.
I've committed my changes as r28955.

-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: