nmap 4.21 alpha4 escaping attribute content

[Tim Rupp <tarupp () fnal gov>]

Hi list,

Not sure if this has been reported yet.

In nmap 4.21 alpha4 I'm running the following scan

nmap -sS -p 80 -A -P0 -T4 --osscan_limit --osscan_guess --host_timeout 
40m --max-retries 0 -oX - 111.111.111.111

and nmap is generating a service tag with an attribute called extrainfo. 
Inside that attribute is data that's not escaped correctly; the "less 
than" and "greater than" signs, and the double quotes. This causes the 
XML output to be incorrect.

extrainfo="(Unix) mod_fastcgi/2.4.2 mod_ssl/2.8.19 OpenSSL/0.9.6e" 
method="probed" conf="10" /><script id="HTML title" 
output="www-ccf.fnal.gov Homepage<title><META HTTP-EQUIV="Content-Type" 
CONTENT="text/html; charset=windows-1252"> <LINK REL="stylesheet" 
TYPE="text/css" HREF="/cdincludes/style.css"> <title>Coming soon!  CCF 
Department file server CCFSRV2 " /></port>
</ports>


I've attached the full xml file if that helps. I did a quick search on 
the web for the proper escape sequences. Not entirely sure how correct 
that is, but it may be a start.

http://hdf.ncsa.uiuc.edu/HDF5/XML/xml_escape_chars.htm


Thanks!
Tim

<?xml version="1.0" ?>
<?xml-stylesheet href="/usr/local/share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 4.21ALPHA4 scan initiated Mon Apr 23 12:58:25 2007 as: ./nmap -sS -p 80 -A -P0 -T4 -&#45;osscan_limit 
-&#45;osscan_guess -&#45;host_timeout 40m -&#45;max-retries 0 -oX - 131.225.80.22 -->
<nmaprun scanner="nmap" args="./nmap -sS -p 80 -A -P0 -T4 --osscan_limit --osscan_guess --host_timeout 40m 
--max-retries 0 -oX - 131.225.80.22" start="1177351105" startstr="Mon Apr 23 12:58:25 2007" version="4.21ALPHA4" 
xmloutputversion="1.01">
<scaninfo type="syn" protocol="tcp" numservices="1" services="80" />
<verbose level="0" />
<debugging level="0" />
<host><status state="up" />
<address addr="131.225.80.22" addrtype="ipv4" />
<address addr="00:30:48:75:81:52" addrtype="mac" vendor="Supermicro Computer" />
<hostnames><hostname name="ccfsrv2.fnal.gov" type="PTR" /></hostnames>
<ports><port protocol="tcp" portid="80"><state state="open" /><service name="http" product="Apache httpd" 
version="1.3.31" extrainfo="(Unix) mod_fastcgi/2.4.2 mod_ssl/2.8.19 OpenSSL/0.9.6e" method="probed" conf="10" /><script 
id="HTML title" output="www-ccf.fnal.gov Homepage<title><META HTTP-EQUIV="Content-Type" CONTENT="text/html; 
charset=windows-1252"> <LINK REL="stylesheet" TYPE="text/css" HREF="/cdincludes/style.css"> <title>Coming soon!  CCF 
Department file server CCFSRV2 " /></port>
</ports>
</host>
<runstats><finished time="1177351111" timestr="Mon Apr 23 12:58:31 2007"/><hosts up="1" down="0" total="1" />
<!-- Nmap run completed at Mon Apr 23 12:58:31 2007; 1 IP address (1 host up) scanned in 6.224 seconds -->
</runstats></nmaprun>


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org