Nmap Development mailing list archives
[NMAP::Patch] Add support for check Linux capabilities privileges
From: Leonardo Amaral <leleobhz () leleobhz org>
Date: Tue, 01 Dec 2009 09:41:37 -0200
Hello List! (Its a more or less equal the mail i've sent to Fyodor) Im has a inspired guy with insomnia (4:15a.m here :p) ive created a patch to support capabilities. It worked very well, but this patch should be revised to dont have problems with security. I think kernel knowing the app capabilities, it allow the operation automatically. Ive defined has required capabilities these: CAP_NET_ADMIN Perform various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables). CAP_NET_BROADCAST (Unused) Make socket broadcasts, and listen to multicasts. CAP_NET_RAW Use RAW and PACKET sockets. Im sending the patch attached to version 5.10BETA1. I hope my little work help someone! Thanks by attention; Leonardo Amaral - leleobhz P.s: Proof of concept: leleobhz@tarsila:~/COMPILACOES/nmap/nmap-5.10BETA1$ echo $UID ; file ./nmap ; ldd ./nmap ; getcap ./nmap ; ./nmap -sS 192.168.1.1 -O2 1000 ./nmap: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, from 'B', not stripped linux-vdso.so.1 => (0x00007fffe1dff000) libpcre.so.3 => /lib/libpcre.so.3 (0x00007ff626ac4000) libpcap.so.0.8 => /usr/lib/libpcap.so.0.8 (0x00007ff62688f000) libssl.so.0.9.8 => /lib/libssl.so.0.9.8 (0x00007ff626640000) libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 (0x00007ff6262b9000) liblua5.1.so.0 => /usr/lib/liblua5.1.so.0 (0x00007ff62608c000) libdl.so.2 => /lib/libdl.so.2 (0x00007ff625e87000) libcap.so.2 => /lib/libcap.so.2 (0x00007ff625c82000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007ff625972000) libm.so.6 => /lib/libm.so.6 (0x00007ff6256ed000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007ff6254d6000) libc.so.6 => /lib/libc.so.6 (0x00007ff625167000) libz.so.1 => /lib/libz.so.1 (0x00007ff624f4f000) /lib64/ld-linux-x86-64.so.2 (0x00007ff626d1b000) ./nmap = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+eip Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2009-12-01 04:18 BRST Nmap scan report for 192.168.1.1 Host is up (0.0037s latency). Not shown: 996 filtered ports PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp closed ftp 23/tcp closed telnet 2869/tcp open unknown MAC Address: 00:25:9C:1C:75:FF (Cisco-Linksys) Device type: WAP Running: Netgear embedded OS details: Netgear WGR614v7 wireless broadband router Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.89 seconds leleobhz@tarsila:~/COMPILACOES/nmap/nmap-5.10BETA1$
--- NmapOps.cc.orig 2009-12-01 02:58:25.000000000 -0200 +++ NmapOps.cc 2009-12-01 03:43:26.000000000 -0200 @@ -94,6 +94,7 @@ #include "NmapOps.h" #include "services.h" #include "utils.h" +#include <sys/capability.h> #ifdef WIN32 #include "winfix.h" #endif @@ -207,6 +208,21 @@ isr00t = 0; else isr00t = !(geteuid()); + + ssize_t length; + cap_t cap_d; + + cap_d = cap_get_pid(getpid()); + + if (cap_d != NULL) { + char *result = cap_to_text(cap_d, &length); + if ( strstr (result, "cap_net_raw") and strstr (result, "cap_net_admin") and strstr (result, "cap_net_broadcast") ) + isr00t=1; + cap_free(result); + result = NULL; + cap_free(cap_d); + } + #endif have_pcap = true; debugging = 0; --- configure.ac.orig 2009-12-01 04:00:49.000000000 -0200 +++ configure.ac 2009-12-01 04:05:58.000000000 -0200 @@ -158,6 +158,7 @@ *-linux*) AC_DEFINE(LINUX) LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support + AC_CHECK_LIB(cap, cap_get_proc,,AC_MSG_ERROR([libcap not found])) ;; *-apple-darwin*) AC_DEFINE(MACOSX)
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NMAP::Patch] Add support for check Linux capabilities privileges Leonardo Amaral (Dec 01)
- Re: [NMAP::Patch] Add support for check Linux capabilities privileges David Fifield (Dec 12)
- Re: [NMAP::Patch] Add support for check Linux capabilities privileges Fyodor (Dec 13)
- Re: [NMAP::Patch] Add support for check Linux capabilities privileges Leonardo Amaral (Dec 13)
- Re: [NMAP::Patch] Add support for check Linux capabilities privileges David Fifield (Dec 12)