Nmap Development mailing list archives

Re: [NSE] rpc library; trusted inputs?

From: Djalal Harouni <tixxdz () gmail com>
Date: Mon, 26 Apr 2010 19:47:34 +0100

On 2010-04-21 18:34:18 -0600, David Fifield wrote:

On Sat, Apr 17, 2010 at 04:21:59PM +0100, Djalal Harouni wrote:

2) NSE Scripts:
- better error handling.


I must remind you that some scripts/libs (including these ones) trust
remote inputs!!! 
I have found this thread: http://seclists.org/nmap-dev/2009/q3/210
which is a good start.


Can you explain more in what way external inputs are being trusted? One
specific example is already handled at a high level; control characters
in NSE output are always escaped. I'm sure there are other
possibilities, like a script looping forever. As Solar Designer pointed
out, in case of a bug in liblua it might be possible for network input
to escape the scripting environment. If you've found specific examples,
please share them so they can be fixed.

My point of view:
- Perhaps NSE scripts must validate/check the value of the n variable
  which will be used by the receive_bytes(n) call. If we are
  implementing some protocol libraries or scripts and the protcol's RFC
  says that: the length may not exceed MAXBYTES, so we must check it and
  validate it before issuing another receive_bytes(length) etc

Example:
  st, data = socket:receive_bytes(n)
  _, len = bin.unpack(">I", data, offset)
  st, tmp = socket:receive_bytes(len)
  data = data .. tmp
  ...


If the RFC says that the len must not exceed 32, I think that we should
check it before the next receive_bytes(len) call.
If we are scanning a box which have some tricks to detect Nmap/NSE scans and alter it's network output (big values), 
this can cause Nmap to timeout (long scans) or to eat memory etc, it depends on: how this data is used. 

In this example we are using an unsigned integer, you may also consider
other types.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


-- 
tixxdz
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [PATCH] nselib rpc.lua, (continued)
- - - Re: [PATCH] nselib rpc.lua Patrik Karlsson (Apr 08)
    - Re: [NSE] rpc library Djalal Harouni (Apr 10)
    - Re: [NSE] rpc library Djalal Harouni (Apr 11)
    - Re: [NSE] rpc library David Fifield (Apr 15)
    - Re: [NSE] rpc library Djalal Harouni (Apr 16)
    - Re: [NSE] rpc library Djalal Harouni (Apr 17)
    - Re: [NSE] rpc library Patrik Karlsson (Apr 18)
    - Re: [NSE] rpc library Djalal Harouni (Apr 18)
    - Re: [NSE] rpc library David Fifield (Apr 21)
    - Re: [NSE] rpc library; trusted inputs? David Fifield (Apr 21)
    - Re: [NSE] rpc library; trusted inputs? Djalal Harouni (Apr 26)
    - Re: [NSE] rpc library; trusted inputs? David Fifield (Apr 26)
    - Re: [NSE] rpc library; errors during nfsd startup David Fifield (Apr 21)
    - Re: [NSE] rpc library; errors during nfsd startup Patrik Karlsson (Apr 22)
    - Re: [NSE] rpc library; errors during nfsd startup Djalal Harouni (Apr 23)
    - Re: [NSE] rpc library; errors during nfsd startup Patrik Karlsson (Apr 25)
    - Re: [NSE] rpc library; errors during nfsd startup Djalal Harouni (Apr 25)
    - Re: [NSE] rpc library; errors during nfsd startup David Fifield (May 04)