Nmap Development mailing list archives

Re: http.lua not handling malformed HTTP response gracefully

From: Patrick Donnelly <batrick () batbytes com>
Date: Thu, 2 Jul 2009 15:19:19 -0600

Hi Brandon,

On Thu, Jul 2, 2009 at 2:41 PM, Brandon Enright<bmenrigh () ucsd edu> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all, I ran into a machine on campus (Cannon Printer) that causes
NSE to hang forever in a busy-loop.  Since the script never yields even
host timeout doesn't help.

Thanks to David's sharp eye and troubleshooting genius, I have attached
a simple test case.

You can make a listener with:

sudo ncat -l 80 --sh-exec "cat bad-http.txt"

And you can scan it with:

nmap --script=html-title -p 80 -d2 localhost

With high debugging on, you should see something like:

...
NSOCK (0.1030s) Read request from IOD #1 [x.y.179.88:80] (timeout: 7000ms) EID 34
NSOCK (0.1030s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.1030s) Callback: READ EOF for EID 34 [x.y.179.88:80]
NSE: TCP x.y.1.115:38187 > x.y.179.88:80 | CLOSE
<hang forever at 100% CPU here>

David points out that the likely culprit is that the HTTP response
includes "Transfer-Encoding: chunked" but the response is not actually
chunked.

All the scripts that make use of http.lua will die when this happens.


You both may already be aware of this: I'm looking at http.lua where
the problem apparently is:

    while ( ptr < ( type( body ) == "string" and body:len() ) or 1 ) do
      local hex = body:match( pattern, ptr )
      if not hex then break end
      chunk_len = tonumber( hex or 0, 16 ) or nil
      if chunk_len then
        start = ptr + hex:len() + 2*body_delim:len()
        ptr = start + chunk_len
        b[#b+1] = body:sub( start, ptr-1 )
      end
    end

In the case David gave, hex is always the string "<HTML>". Because
chunk_len is always going to be "nil", the loop never advances past
the first match in body. I don't know the appropriate way to handle
this (break the loop if chunk_len ever equals nil? advance ptr by 1?).


-- 
-Patrick Donnelly

"Let all men know thee, but no man know thee thoroughly: Men freely
ford that see the shallows."

- Benjamin Franklin

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

http.lua not handling malformed HTTP response gracefully Brandon Enright (Jul 02)
- Re: http.lua not handling malformed HTTP response gracefully Patrick Donnelly (Jul 02)
  - Re: http.lua not handling malformed HTTP response gracefully David Fifield (Jul 02)
- Re: http.lua not handling malformed HTTP response gracefully David Fifield (Jul 08)