Crash in libssh with certain SSH scripts

[Daniel Cater <djcater () gmail com>]

Hello,

$ nmap -V
Nmap version 7.70 ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.3.3 openssl-1.0.2g nmap-libssh2-1.8.0
libz-1.2.8 libpcre-8.38 libpcap-1.7.4 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

On a job recently Nmap 7.70 kept crashing during the NSE phase, and after a
while of debugging it, I narrowed it down to one particular host with TCP
port 22 open. From there, I narrowed it down to a couple of non-default SSH
scripts that I had added in: ssh-publickey-acceptance and ssh-auth-methods.

When connecting to the port with the ssh command on Linux, or even just
with ncat, it just responds with a message like "\nConnection refused",
possibly suggesting some application-layer IP address filtering.

I replicated the response with ncat and created a minimised test case. The
leading newline appears to be relevant.

I've included the relevant commands for ncat and Nmap, and the debugging
output here in GitHub: https://github.com/nmap/nmap/issues/1227

I'm not sure if there's a vulnerability here, but sometimes the crash does
mention a double free.

I would appreciate if someone who knows more about the recent libssh
integration could have a look and try and fix it. If there's any more info
I can provide to help, please let me know.

Thank you.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/