Nmap Development mailing list archives
Broken service match lines
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 18 Sep 2012 12:45:22 -0500
List, In a recent scan, I ran into this error:
Scanning 49 services on 27 hostsWarning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 \d\d\d .*\n.*Server: uClinux-httpd ([\w._-]+)\n' Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 \d\d\d .*[^\r]\n.*Server: uc-httpd/([\w._-]+)\r\n' Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 \d\d\d .*\n.*Server: uClinux-httpd ([\w._-]+)\n' Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 \d\d\d .*[^\r]\n.*Server: uc-httpd/([\w._-]+)\r\n'Service scan Timing: About 42.86% done; ETC: 11:45 (0:00:41 remaining)Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 \d\d\d .*\n.*Server: uClinux-httpd ([\w._-]+)\n' Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 \d\d\d .*[^\r]\n.*Server: uc-httpd/([\w._-]+)\r\n'Completed Service scan at 11:47, 158.82s elapsed (49 services on 27 hosts)
A little googling revealed this old thread: http://seclists.org/nmap-dev/2009/q2/75
Here's a patch that fixes the issue I was seeing: diff --git a/nmap-service-probes b/nmap-service-probes index 492dd9c..ebc9754 100644 --- a/nmap-service-probes +++ b/nmap-service-probes@@ -7632,8 +7632,8 @@ match http m|^HTTP/1\.[01] \d\d\d .*\r\n.*X-Powered-By: Zope \(www\.zope\.org\), match http m|^HTTP/1\.0 \d\d\d .*Server: lighttpd/([\w._-]+).*<\?xml version=\"1\.0\" encoding=\"iso-8859-1\"\?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1\.0 Transitional//EN\"\n match http m|^HTTP/1\.0 \d\d\d .*<\?xml version=\"1\.0\" encoding=\"iso-8859-1\"\?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1\.0 Transitional//EN\"\n \"http://www\.w3\.org/TR match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Optenet Web Server\r\n| p/Optenet httpd/ -match http m|^HTTP/1\.0 \d\d\d .*\n.*Server: uClinux-httpd ([\w._-]+)\n|s p/uClinux-httpd/ v/$1/ o/Linux/ cpe:/o:linux:kernel/a -match http m|^HTTP/1\.0 \d\d\d .*[^\r]\n.*Server: uc-httpd/([\w._-]+)\r\n|s p/uc-httpd/ v/$1/ +match http m|^HTTP/1\.0 \d\d\d .*Server: uClinux-httpd ([\w._-]+)\n|s p/uClinux-httpd/ v/$1/ o/Linux/ cpe:/o:linux:kernel/a +match http m|^HTTP/1\.0 \d\d\d (?>.*?[^\r]\n).*Server: uc-httpd/([\w._-]+)\r\n|s p/uc-httpd/ v/$1/ match http m|^HTTP/1\.1 200 Document follows\r\nServer: Micro-Web\r\n| p/Micro-Web/ match http m|^HTTP/1\.1 200 OK\r\n.*Server: Indy/([\w._-]+)\r\n|s p/Indy/ v/$1/
Unfortunately, a little grepping revealed several other match lines with similar problems. Looking at these and others, it looks like copy-pasting match info and then adding the |s modifier may be creating a problem, but I haven't run into it during scans, so I don't quite feel comfortable undertaking a full audit. Perhaps someone could come up with a test program to try out the matches against "pathological" strings without running a full network scan.
In the meantime, does anyone see a problem with the patch above before I commit it?
Dan _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Broken service match lines Daniel Miller (Sep 18)
- Message not available
- Re: Broken service match lines Daniel Miller (Sep 20)
- Re: Broken service match lines David Fifield (Sep 20)
- Re: Broken service match lines Daniel Miller (Sep 20)
- Re: Broken service match lines David Fifield (Sep 20)
- Re: Broken service match lines Daniel Miller (Sep 20)
- Message not available