RE: nmap-2.54b3+V-2.2 (now 2.21)

["Jay Freeman \(saurik\)" <saurik () saurik com>]

Actually, I haven't :).  I got the one message from you.  The biggest reason
for that is likely that my name or my e-mail address isn't in nmap+V
anywhere except a CHANGELOG entry having to do with makefiles for 2.54BETA1.

To tell you the truth, I'm even worried about testing it, as I don't know
what that exploit code of his does, and do not have a computer to
temporarily install a test system to run nmap+V on.

I'm sitting here looking at it more carefully, and I think I see where the
problem is.  I think all versions are vulnerable :(.  I was thinking about
it wrong when I first looked at it, and assumed that it was causing problems
when I receive data, which I handle through a reallocated buffer now (and
don't remember what I did at 1.01), so that shouldn't be a problem.
However, I didn't notice that my regmatch() was callously assuming it had
all the memory in the world (well, at least as much as my reallocated
buffer), when it only had a measly 1024 characters.  I really feel silly now
:).

Re-linked the symlinks, same URLs, nmap+V-2.21, has a counter to figure out
how much memory it has left.  While building the next version I am going to
totally rewrite my regmatch() to be a little saner about how it handles
these buffers.  Also fixes a g++ compilation problem I caused right before
building the patch.

I'll work on putting together the C++ patch separately from the nmap+V patch
sometime in the next day or two (probably tomorrow when I am working on that
Solaris machine I mentioned).

Sincerely,
Jay Freeman (saurik)
saurik () saurik com

-----Original Message-----
From: Fyodor [mailto:fyodor () insecure org]
Sent: Monday, August 28, 2000 4:23 AM
To: Jay Freeman (saurik)
Cc: Nmap-Dev; Max Vision
Subject: Re: nmap-2.54b3+V-2.2

On Mon, 28 Aug 2000, Jay Freeman (saurik) wrote:

> nmap-2.54b3+V-2.2 compiles without warnings using g++.  As Fyoder
continues
> to break this, I am going to continue to fix it :-).  There are lots of
> modifications to signed/unsigned declarations, triple checked all const
> modifiers, got rid of an annoying variables named "try", etc..

I would be happy to apply any patches for making Nmap C++-clean to the
main tree.  Just send them my way.  Otherwise, I'll try to remember to vet
out C++ problems before the next release.

> This version, like the unannounced version 2.1, has support for pulling
> times off of NTP servers (as requested by the nmap-web guy).  I also added
a
> few more nmap-versions rules to this release, most notably Exchange POP
and
> IMAP server detection.

Cool!  If nobody on this list finds any showstopper issues in the next day
or so, you might want to send an announcement to nmap-hackers .  That list
is 50X as large as nmap-dev .

You might also want to let them know what versions are vulnerable to the
alleged Nmap+V buffer overflow root hole at
http://inferno.tusculum.edu/~typo/banfuq.c .  Are all 2.X versions safe?
I've been getting a lot of worried mail about this.  I assume you have
too.

> this on any port other than the standard 8009 (which isn't in
nmap-services,

OK, I just added it.

Cheers,
-Fyodor


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).