[NMAP::Patch] Add support for check Linux capabilities privileges

[Leonardo Amaral <leleobhz () leleobhz org>]

Hello List! (Its a more or less equal the mail i've sent to Fyodor)

Im has a inspired guy with insomnia (4:15a.m here :p) ive created a
patch to support capabilities. It worked very well, but this patch
should be revised to dont have problems with security. I think kernel
knowing the app capabilities, it allow the operation automatically. Ive
defined has required capabilities these:

CAP_NET_ADMIN
               Perform  various network-related operations (e.g.,
setting privileged socket options, enabling multicasting, interface
configuration, modifying routing tables).

CAP_NET_BROADCAST
        (Unused)  Make socket broadcasts, and listen to multicasts.

CAP_NET_RAW
        Use RAW and PACKET sockets.

Im sending the patch attached to version 5.10BETA1.

I hope my little work help someone!

Thanks by attention;

Leonardo Amaral - leleobhz

P.s: Proof of concept:

leleobhz@tarsila:~/COMPILACOES/nmap/nmap-5.10BETA1$ echo $UID ; file
./nmap ; ldd ./nmap ; getcap ./nmap ; ./nmap -sS 192.168.1.1 -O2
1000
./nmap: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically
linked (uses shared libs), for GNU/Linux 2.6.15, from 'B', not stripped
         linux-vdso.so.1 =>  (0x00007fffe1dff000)
         libpcre.so.3 => /lib/libpcre.so.3 (0x00007ff626ac4000)
         libpcap.so.0.8 => /usr/lib/libpcap.so.0.8 (0x00007ff62688f000)
         libssl.so.0.9.8 => /lib/libssl.so.0.9.8 (0x00007ff626640000)
         libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 (0x00007ff6262b9000)
         liblua5.1.so.0 => /usr/lib/liblua5.1.so.0 (0x00007ff62608c000)
         libdl.so.2 => /lib/libdl.so.2 (0x00007ff625e87000)
         libcap.so.2 => /lib/libcap.so.2 (0x00007ff625c82000)
         libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007ff625972000)
         libm.so.6 => /lib/libm.so.6 (0x00007ff6256ed000)
         libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007ff6254d6000)
         libc.so.6 => /lib/libc.so.6 (0x00007ff625167000)
         libz.so.1 => /lib/libz.so.1 (0x00007ff624f4f000)
         /lib64/ld-linux-x86-64.so.2 (0x00007ff626d1b000)
./nmap =
cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+eip

Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2009-12-01 04:18 BRST
Nmap scan report for 192.168.1.1
Host is up (0.0037s latency).
Not shown: 996 filtered ports
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   closed ftp
23/tcp   closed telnet
2869/tcp open   unknown
MAC Address: 00:25:9C:1C:75:FF (Cisco-Linksys)
Device type: WAP
Running: Netgear embedded
OS details: Netgear WGR614v7 wireless broadband router
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.89 seconds
leleobhz@tarsila:~/COMPILACOES/nmap/nmap-5.10BETA1$

--- NmapOps.cc.orig     2009-12-01 02:58:25.000000000 -0200
+++ NmapOps.cc  2009-12-01 03:43:26.000000000 -0200
@@ -94,6 +94,7 @@
 #include "NmapOps.h"
 #include "services.h"
 #include "utils.h"
+#include <sys/capability.h>
 #ifdef WIN32
 #include "winfix.h"
 #endif
@@ -207,6 +208,21 @@
     isr00t = 0;
   else
     isr00t = !(geteuid());
+
+  ssize_t length;
+  cap_t cap_d;
+
+  cap_d = cap_get_pid(getpid());
+ 
+  if (cap_d != NULL) {
+    char *result = cap_to_text(cap_d, &length);
+    if ( strstr (result, "cap_net_raw") and strstr (result, "cap_net_admin") and strstr (result, "cap_net_broadcast") 
) 
+      isr00t=1;
+    cap_free(result);
+    result = NULL;
+    cap_free(cap_d);
+  }
+
 #endif
   have_pcap = true;
   debugging = 0;
--- configure.ac.orig   2009-12-01 04:00:49.000000000 -0200
+++ configure.ac        2009-12-01 04:05:58.000000000 -0200
@@ -158,6 +158,7 @@
   *-linux*)
     AC_DEFINE(LINUX)
     LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
+    AC_CHECK_LIB(cap, cap_get_proc,,AC_MSG_ERROR([libcap not found]))
     ;;
   *-apple-darwin*)
     AC_DEFINE(MACOSX)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/