Broken service match lines

[Daniel Miller <bonsaiviking () gmail com>]

List,

In a recent scan, I ran into this error:
> Scanning 49 services on 27 hosts
> Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with 
> the regex '^HTTP/1\.0 \d\d\d .*\n.*Server: uClinux-httpd ([\w._-]+)\n'
> Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with 
> the regex '^HTTP/1\.0 \d\d\d .*[^\r]\n.*Server: uc-httpd/([\w._-]+)\r\n'
> Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with 
> the regex '^HTTP/1\.0 \d\d\d .*\n.*Server: uClinux-httpd ([\w._-]+)\n'
> Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with 
> the regex '^HTTP/1\.0 \d\d\d .*[^\r]\n.*Server: uc-httpd/([\w._-]+)\r\n'
> Service scan Timing: About 42.86% done; ETC: 11:45 (0:00:41 remaining)
> Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with 
> the regex '^HTTP/1\.0 \d\d\d .*\n.*Server: uClinux-httpd ([\w._-]+)\n'
> Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with 
> the regex '^HTTP/1\.0 \d\d\d .*[^\r]\n.*Server: uc-httpd/([\w._-]+)\r\n'
> Completed Service scan at 11:47, 158.82s elapsed (49 services on 27 hosts)

A little googling revealed this old thread: 
http://seclists.org/nmap-dev/2009/q2/75

Here's a patch that fixes the issue I was seeing:

diff --git a/nmap-service-probes b/nmap-service-probes
index 492dd9c..ebc9754 100644
--- a/nmap-service-probes
+++ b/nmap-service-probes
@@ -7632,8 +7632,8 @@ match http m|^HTTP/1\.[01] \d\d\d 
.*\r\n.*X-Powered-By: Zope \(www\.zope\.org\),
 match http m|^HTTP/1\.0 \d\d\d .*Server: lighttpd/([\w._-]+).*<\?xml 
version=\"1\.0\" encoding=\"iso-8859-1\"\?>\n<!DOCTYPE html PUBLIC 
\"-//W3C//DTD XHTML 1\.0 Transitional//EN\"\n
 match http m|^HTTP/1\.0 \d\d\d .*<\?xml version=\"1\.0\" 
encoding=\"iso-8859-1\"\?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 
1\.0 Transitional//EN\"\n \"http://www\.w3\.org/TR
 match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Optenet Web Server\r\n| 
p/Optenet httpd/
-match http m|^HTTP/1\.0 \d\d\d .*\n.*Server: uClinux-httpd 
([\w._-]+)\n|s p/uClinux-httpd/ v/$1/ o/Linux/ cpe:/o:linux:kernel/a
-match http m|^HTTP/1\.0 \d\d\d .*[^\r]\n.*Server: 
uc-httpd/([\w._-]+)\r\n|s p/uc-httpd/ v/$1/
+match http m|^HTTP/1\.0 \d\d\d .*Server: uClinux-httpd ([\w._-]+)\n|s 
p/uClinux-httpd/ v/$1/ o/Linux/ cpe:/o:linux:kernel/a
+match http m|^HTTP/1\.0 \d\d\d (?>.*?[^\r]\n).*Server: 
uc-httpd/([\w._-]+)\r\n|s p/uc-httpd/ v/$1/
 match http m|^HTTP/1\.1 200 Document follows\r\nServer: Micro-Web\r\n| 
p/Micro-Web/
 match http m|^HTTP/1\.1 200 OK\r\n.*Server: Indy/([\w._-]+)\r\n|s 
p/Indy/ v/$1/

Unfortunately, a little grepping revealed several other match lines with 
similar problems. Looking at these and others, it looks like 
copy-pasting match info and then adding the |s modifier may be creating 
a problem, but I haven't run into it during scans, so I don't quite feel 
comfortable undertaking a full audit. Perhaps someone could come up with 
a test program to try out the matches against "pathological" strings 
without running a full network scan.

In the meantime, does anyone see a problem with the patch above before I 
commit it?

Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/