Nmap Development mailing list archives
Re: [NSE] Bug (short read) in pop3-capabilities.nse
From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 15 Jun 2012 20:34:05 +0200
On Mon, Jun 11, 2012 at 6:04 PM, Daniel Miller <bonsaiviking () gmail com>wrote:
Hey list, I would have reported this with a patch, but I never quite got the hang of reading from sockets in NSE scripts :( When scanning one of the alexa top 1m hosts via IPv6, ran across this exception:NSOCK (0.8110s) TCP connection requested to 2a01:4f8:121:1262::2:110 (IOD #1) EID 8 NSOCK (0.9530s) Callback: CONNECT SUCCESS for EID 8 [2a01:4f8:121:1262::2:110] NSE: TCP XXXX:42686 > 2a01:4f8:121:1262::2:110 | CONNECT NSOCK (0.9530s) Read request from IOD #1 [2a01:4f8:121:1262::2:110] (timeout: 10000ms) EID 18 NSOCK (1.0920s) Callback: READ SUCCESS for EID 18 [2a01:4f8:121:1262::2:110] (76 bytes): +OK CommuniGate Pro POP3 Server 5.2.20 ready <14999.1339429588 () aenigma gr>.**. NSE: TCP XXXX:42686 < 2a01:4f8:121:1262::2:110 | +OK CommuniGate Pro POP3 Server 5.2.20 ready <14999.1339429588 () aenigma gr> NSE: TCP XXXX:42686 > 2a01:4f8:121:1262::2:110 | 00000000: 43 41 50 41 0d 0a CAPA NSOCK (1.0930s) Write request for 6 bytes to IOD #1 EID 27 [2a01:4f8:121:1262::2:110]: CAPA.. NSOCK (1.0930s) Callback: WRITE SUCCESS for EID 27 [2a01:4f8:121:1262::2:110] NSE: TCP XXXX:42686 > 2a01:4f8:121:1262::2:110 | SEND NSOCK (1.0940s) Read request from IOD #1 [2a01:4f8:121:1262::2:110] (timeout: 10000ms) EID 34 NSOCK (1.2320s) Callback: READ SUCCESS for EID 34 [2a01:4f8:121:1262::2:110] (29 bytes): +OK capability list follows.. NSE: TCP XXXX:42686 < 2a01:4f8:121:1262::2:110 | 00000000: 2b 4f 4b 20 63 61 70 61 62 69 6c 69 74 79 20 6c +OK capability l 00000010: 69 73 74 20 66 6f 6c 6c 6f 77 73 0d 0a ist follows NSE: 'pop3-capabilities' (thread: 0x8ba8468) against 2a01:4f8:121:1262::2:110 threw an error! ./nselib/pop3.lua:173: bad argument #2 to 'sub' (number expected, got nil) stack traceback: [C]: in function 'sub' ./nselib/pop3.lua:173: in function 'capabilities' ./scripts/pop3-capabilities.**nse:30: in function <./scripts/pop3-capabilities.**nse:29> (...tail calls...)I checked manually, and this is the response I get:ncat -vvv -6 freestuff.gr 110 Ncat: Version 6.01 ( http://nmap.org/ncat ) NSOCK (0.0110s) TCP connection requested to 2a01:4f8:121:1262::2:110 (IOD #1) EID 8 NSOCK (0.1550s) Callback: CONNECT SUCCESS for EID 8 [2a01:4f8:121:1262::2:110] Ncat: Connected to 2a01:4f8:121:1262::2:110. NSOCK (0.1560s) Read request from IOD #1 [2a01:4f8:121:1262::2:110] (timeout: -1ms) EID 18 NSOCK (0.1560s) Read request for 0 bytes from IOD #2 (peer unspecified) EID 26 NSOCK (0.2970s) Callback: READ SUCCESS for EID 18 [2a01:4f8:121:1262::2:110] (76 bytes) +OK CommuniGate Pro POP3 Server 5.2.20 ready <15001.1339430446 () aenigma grNSOCK (0.2970s) Read request for 0 bytes from IOD #1 [2a01:4f8:121:1262::2:110] EID 34 CAPA NSOCK (5.0260s) Callback READ SUCCESS for EID 26 (peer unspecified) (5 bytes) NSOCK (5.0260s) Write request for 5 bytes to IOD #1 EID 43 [2a01:4f8:121:1262::2:110] NSOCK (5.0260s) Callback: WRITE SUCCESS for EID 43 [2a01:4f8:121:1262::2:110] NSOCK (5.0260s) Read request for 0 bytes from IOD #2 (peer unspecified) EID 50 NSOCK (5.1690s) Callback: READ SUCCESS for EID 34 [2a01:4f8:121:1262::2:110] (29 bytes) +OK capability list follows NSOCK (5.1690s) Read request for 0 bytes from IOD #1 [2a01:4f8:121:1262::2:110] EID 58 NSOCK (5.3090s) Callback: READ SUCCESS for EID 58 [2a01:4f8:121:1262::2:110] (129 bytes) SASL LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI MSN NTLM STLS LAST TOP USER PIPELINING UIDL IMPLEMENTATION CommuniGatePro . NSOCK (5.3090s) Read request for 0 bytes from IOD #1 [2a01:4f8:121:1262::2:110] EID 66 QUIT NSOCK (8.9930s) Callback READ SUCCESS for EID 50 (peer unspecified) (5 bytes) NSOCK (8.9930s) Write request for 5 bytes to IOD #1 EID 75 [2a01:4f8:121:1262::2:110] NSOCK (8.9940s) Callback: WRITE SUCCESS for EID 75 [2a01:4f8:121:1262::2:110] NSOCK (8.9940s) Read request for 0 bytes from IOD #2 (peer unspecified) EID 82 NSOCK (9.1400s) Callback: READ SUCCESS for EID 66 [2a01:4f8:121:1262::2:110] (51 bytes) +OK CommuniGate Pro POP3 Server connection closed NSOCK (9.1400s) Read request for 0 bytes from IOD #1 [2a01:4f8:121:1262::2:110] EID 90 NSOCK (9.1400s) Callback: READ EOF for EID 90 [2a01:4f8:121:1262::2:110] Ncat: 10 bytes sent, 285 bytes received in 9.15 seconds. NSOCK (9.1400s) Callback: READ KILL for EID 82 (peer unspecified)As you can see from the debug output, the response is sent in a separate packet from the "status line", so the pop3 library needs to keep reading until a "." is seen. Dan ______________________________**_________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived at http://seclists.org/nmap-dev/
Thanks for reporting this. I took a stab at it and ended up re-writing quite a bit of the code in both the pop3 library and the script. I've committed my changes as r28955. -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Bug (short read) in pop3-capabilities.nse Daniel Miller (Jun 11)
- Re: [NSE] Bug (short read) in pop3-capabilities.nse Patrik Karlsson (Jun 15)