Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

smb-protocols script crashes against NetApp

From: William Faulk <wfaulk () gmail com>
Date: Fri, 22 Sep 2017 17:27:33 -0400
The error is:

/usr/local/bin/../share/nmap/nselib/unicode.lua:201: bad argument #2
to 'unpack' (data string too short)
stack traceback:
        [C]: in function 'string.unpack'
        /usr/local/bin/../share/nmap/nselib/unicode.lua:201: in
function 'unicode.utf16_dec'
        /usr/local/bin/../share/nmap/nselib/unicode.lua:70: in
function 'unicode.transcode'
        (...tail calls...)
        /usr/local/bin/../share/nmap/nselib/smb.lua:1089: in function
'smb.negotiate_v1'
        /usr/local/bin/../share/nmap/nselib/smb.lua:1150: in function
'smb.list_dialects'
        /usr/local/bin/../share/nmap/scripts/smb-protocols.nse:58: in
function </usr/local/bin/../share/nmap/scripts/smb-protocols.nse:54>
        (...tail calls...)

What I found is that inside smb.negotiate_v1, there is an assignment
to "remainder" trying to translate from UTF16 to UTF8. The buffer is
99 bytes long. This can obviously not be a valid UTF16 string and the
transcode crashes.  There should be better error checking in the
unicode library, but the real problem is probably that the data is not
what is expected. I dumped it and it doesn't look like it's just the
domain and server names.  I don't really know how much of this data I
can supply without compromising myself.

The NetApp this is being run against is running its OS Data OnTap
8.1.1P2 in 7-Mode, and this is nmap v7.60.

-- 
Bitt Faulk
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: