Nmap Development mailing list archives
Nmap causes critical error on Novell Netware 6 SP5
From: Axel Pettinger <api () worldonline de>
Date: Sun, 05 Feb 2006 19:28:51 +0100
Hi, Don't know whether there's something one of you can do to prevent the problem in future Nmap versions, nevertheless I'd like to report that the following Nmap command (on XPSP1) causes an "abnormal end" (abend) on a Novell Netware 6 SP5 server: nmap -p514 -d9 -A -oN 514_2.txt <server-ip> -> ----------------------------------------------------------------------- # Nmap 4.00 scan initiated Sun Feb 05 17:58:48 2006 as: nmap -p514 -d9 -A -oN 514_2.txt <server_ip> (...) Completed OS Detection against <server_ip> at 43.032s (took 2.227s) Interesting ports on <server name> (server_ip): PORT STATE SERVICE VERSION 514/tcp open shell? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port514-TCP:V=4.00%I=7%D=2/5%Time=43E62EDB%P=i686-pc-windows-windows%r( SF:DNSVersionBindReq,1,"\0"); OS details: BlueCoat SG4, Cayman 2E DSL/CABLE router, IBM AIX v3.2.5 - 4, IBM AIX 4.02.0001.0000, IBM AIX 4.2, IBM AIX 4.2-4.3.3, IBM AIX 4.3, IBM AIX 4.3.2.0-4.3.3.0 on an IBM RS/*, IBM AIX 4.3.3.0 on an IBM RS/*, IBM AIX v4.2, IBM AIX Version 4.3, Linux 1.3.20 (x86), Microsoft Windows 2003 Server, Microsoft Windows XP Home Edition (English) SP2, Netscreen 5XP firewall+vpn (os 4.0.3r2.0), OpenBSD 3.6 x86 with pf "scrub in all", Symantec Gateway Security 5310 Firewall, ZyXel 944S Prestige router OS Fingerprint: TSeq(Class=TR%IPID=RPI%TS=U) T1(Resp=N) T2(Resp=N) T3(Resp=N) T4(Resp=N) T5(Resp=N) T6(Resp=N) T7(Resp=N) PU(Resp=N) TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) IPID Sequence Generation: Random positive increments # Nmap run completed at Sun Feb 05 17:59:31 2006 -- 1 IP address (1 host up) scanned in 43.064 seconds ----------------------------------------------------------------------- The "System Console" shows the message: "2-05-2006 5:58:39 pm: SERVER-5.60-4631 [nmID=1001C] WARNING! Server (...) experienced a critical error. The offending process was suspended or recovered. However, services hosted by this server may have been affected." On the "Logger Screen" the following message appeared several times: "TLI-4.30-0012: an asynchronous event has occurred; RCMDSRV-4.21: t_rcv: can't get stderr port" Extract from the abend log: ********************************************************* Server (...) halted Sunday, February 5, 2006 5:58:37.580 pm Abend 1 on P00: Server-5.60.05: Page Fault Processor Exception (Error code 00000000) Registers: CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010 EAX = 00000000 EBX = 85386E40 ECX = 00000000 EDX = 826669E2 ESI = 83817060 EDI = 8265ACD0 EBP = 85742960 ESP = 857423E0 EIP = C8D10FB0 FLAGS = 00010286 C8D10FB0 0FB601 MOVZX EAX,byte ptr [ECX]=? EIP in LIBC.NLM at code start +00082FB0h Access Location: 0x00000000 The violation occurred while processing the following instruction: C8D10FB0 0FB601 MOVZX EAX,byte ptr [ECX] C8D10FB3 3C41 CMP AL,41 C8D10FB5 0FB61A MOVZX EBX,byte ptr [EDX] C8D10FB8 7206 JB C8D10FC0 C8D10FBA 3C5A CMP AL,5A C8D10FBC 7702 JA C8D10FC0 C8D10FBE 0420 ADD AL,20 C8D10FC0 80FB41 CMP BL,41 C8D10FC3 7208 JB C8D10FCD C8D10FC5 80FB5A CMP BL,5A Running process: rcmdsrv 6 Process Thread Owned by NLM: RCMDSRV.NLM Stack pointer: 85742240 OS Stack limit: 857369C0 Scheduling priority: 67371008 Wait state: 5050100 Delayed Stack: --85386E40 ? (...) Additional Information: The CPU encountered a problem executing code in LIBC.NLM. The problem may be in that module or in data passed to that module by a process owned by RCMDSRV.NLM. Loaded Modules: (...) ********************************************************* RCMDSRV.NLM v4.21 Mar. 1, 2002 rcmdsrv nlm LIBC.NLM v7.05 Jun. 23, 2004 Standard C Runtime Library for NLMs [optimized, 5] Similar abends happened on several Netware production servers when we had penetration testers in the house a short time before christmas. We never knew for sure but it's likely that they were the cause for the abends and the tool they used to scan the network was probably Nmap ... Regards, Axel Pettinger _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Nmap causes critical error on Novell Netware 6 SP5 Axel Pettinger (Feb 05)
- <Possible follow-ups>
- RE: Nmap causes critical error on Novell Netware 6 SP5 Mike C (check) (Feb 05)
- Re: Nmap causes critical error on Novell Netware 6 SP5 Matt Hargett (Feb 05)
- Re: Nmap causes critical error on Novell Netware 6 SP5 Kurt Grutzmacher (Feb 06)
- Re: Nmap causes critical error on Novell Netware 6 SP5 Axel Pettinger (Feb 08)
- Re: Nmap causes critical error on Novell Netware 6 SP5 Matt Hargett (Feb 05)