Re: Interacting with scan can break XML DTD validation

[David Fifield <david () bamsoftware com>]

On Fri, Sep 02, 2011 at 04:19:06PM -0500, Daniel Miller wrote:
> Hey list,
>
> I found an issue that may not be worth pursuing, but here it is:
> When increasing verbosity in the middle of a scan, XML elements may
> be output without preceding ones (e.g. taskend without corresponding
> taskbegin), which causes the output to fail DTD validation. Steps to
> reproduce:
>
> 1. Start a scan with parallel DNS resolution and XML output:
> $ nmap -sL -oX out.xml 192.168.1.0/24
>
> 2. Between 1-2 seconds after initiating, press "v" to increase verbosity.
>
> 3. Try to validate the output against DTD. Example output from
> python lxml validator:
> out.xml:4:0:ERROR:VALID:DTD_CONTENT_MODEL: Element nmaprun content
> does not follow the DTD, expecting (scaninfo* , verbose , debugging
> , ((taskbegin , taskprogress* , taskend) | prescript | postscript |
> host | output)* , runstats), got (verbose debugging taskend host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host host host host host host
> host host host host host host host host runstats )

Good find. I think this is a problem with the DTD, specifically the
(taskbegin, taskprogress*, taskend) part. It's hard to enforce ordering
and number of elements like this. Can you try just folding those into
the rest of the unordered elements, and if that works, send the patch?

> As a side note, I also found and patched a problem with the DTD
> regarding service fingerprint confidence levels. Previously, these
> were enumerated as 0, 3, 5, and 10, but I found tcpwrapped services
> were given a value of 8. The comments in portlist.h say it could be
> any integer between 0 and 10, so that's what I changed the DTD to
> reflect.

Thanks, committed it.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/