Nmap Development mailing list archives
Re: http.lua not handling malformed HTTP response gracefully
From: Patrick Donnelly <batrick () batbytes com>
Date: Thu, 2 Jul 2009 15:19:19 -0600
Hi Brandon, On Thu, Jul 2, 2009 at 2:41 PM, Brandon Enright<bmenrigh () ucsd edu> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey all, I ran into a machine on campus (Cannon Printer) that causes NSE to hang forever in a busy-loop. Since the script never yields even host timeout doesn't help. Thanks to David's sharp eye and troubleshooting genius, I have attached a simple test case. You can make a listener with: sudo ncat -l 80 --sh-exec "cat bad-http.txt" And you can scan it with: nmap --script=html-title -p 80 -d2 localhost With high debugging on, you should see something like: ... NSOCK (0.1030s) Read request from IOD #1 [x.y.179.88:80] (timeout: 7000ms) EID 34 NSOCK (0.1030s) nsock_loop() started (timeout=50ms). 1 events pending NSOCK (0.1030s) Callback: READ EOF for EID 34 [x.y.179.88:80] NSE: TCP x.y.1.115:38187 > x.y.179.88:80 | CLOSE <hang forever at 100% CPU here> David points out that the likely culprit is that the HTTP response includes "Transfer-Encoding: chunked" but the response is not actually chunked. All the scripts that make use of http.lua will die when this happens.
You both may already be aware of this: I'm looking at http.lua where the problem apparently is: while ( ptr < ( type( body ) == "string" and body:len() ) or 1 ) do local hex = body:match( pattern, ptr ) if not hex then break end chunk_len = tonumber( hex or 0, 16 ) or nil if chunk_len then start = ptr + hex:len() + 2*body_delim:len() ptr = start + chunk_len b[#b+1] = body:sub( start, ptr-1 ) end end In the case David gave, hex is always the string "<HTML>". Because chunk_len is always going to be "nil", the loop never advances past the first match in body. I don't know the appropriate way to handle this (break the loop if chunk_len ever equals nil? advance ptr by 1?). -- -Patrick Donnelly "Let all men know thee, but no man know thee thoroughly: Men freely ford that see the shallows." - Benjamin Franklin _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- http.lua not handling malformed HTTP response gracefully Brandon Enright (Jul 02)
- Re: http.lua not handling malformed HTTP response gracefully Patrick Donnelly (Jul 02)
- Re: http.lua not handling malformed HTTP response gracefully David Fifield (Jul 02)
- Re: http.lua not handling malformed HTTP response gracefully David Fifield (Jul 08)
- Re: http.lua not handling malformed HTTP response gracefully Patrick Donnelly (Jul 02)