New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

-A option on a big DNS gives SEGFAULT #1033

Closed
olaure opened this Issue Oct 12, 2017 · 4 comments

Comments

Projects
None yet
2 participants
@olaure

olaure commented Oct 12, 2017

The command :

nmap -A yahoo.com

leads to a Segmentation fault (core dumped).

@dmiller-nmap

This comment has been minimized.

Show comment
Hide comment
@dmiller-nmap

dmiller-nmap Oct 12, 2017

Thanks for the bug report. Can you provide the output of nmap --version? Are you running as root or as an unprivileged user?

Which of these commands is the first that crashes? Please provide output of the first of these commands to crash:

  1. nmap -d -sL yahoo.com
  2. nmap -d -sn yahoo.com
  3. nmap -d -sS yahoo.com
  4. nmap -d -sS --traceroute yahoo.com
  5. nmap -d -sS --traceroute -O yahoo.com
  6. nmap -d -sS -sV yahoo.com

Thanks for your help in finding this bug.

dmiller-nmap commented Oct 12, 2017

Thanks for the bug report. Can you provide the output of nmap --version? Are you running as root or as an unprivileged user?

Which of these commands is the first that crashes? Please provide output of the first of these commands to crash:

  1. nmap -d -sL yahoo.com
  2. nmap -d -sn yahoo.com
  3. nmap -d -sS yahoo.com
  4. nmap -d -sS --traceroute yahoo.com
  5. nmap -d -sS --traceroute -O yahoo.com
  6. nmap -d -sS -sV yahoo.com

Thanks for your help in finding this bug.

@olaure

This comment has been minimized.

Show comment
Hide comment
@olaure

olaure Oct 13, 2017

$ nmap --version
Nmap version 7.01 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.2.4 openssl-1.0.2g libpcre-8.38 libpcap-1.7.4 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

It was running as an unprivileged user, as root it doesn't crash.
As such, the commands with -sS will not execute as unprivileged user, the previous ones did not crash.

Here is the debug version of the initial command:

$ nmap -d -A yahoo.com

Starting Nmap 7.01 ( https://nmap.org ) at 2017-10-13 10:04 CEST
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.2.
NSE: Arguments from CLI: 
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
Initiating Ping Scan at 10:04
Scanning yahoo.com (98.138.253.109) [2 ports]
Completed Ping Scan at 10:04, 0.12s elapsed (1 total hosts)
Overall sending rates: 17.10 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 10:04
mass_rdns: 0.02s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 10:04, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 10:04
Scanning yahoo.com (98.138.253.109) [1000 ports]
Discovered open port 443/tcp on 98.138.253.109
Discovered open port 80/tcp on 98.138.253.109
Completed Connect Scan at 10:04, 9.53s elapsed (1000 total ports)
Overall sending rates: 210.38 packets / s.
Initiating Service scan at 10:04
Scanning 2 services on yahoo.com (98.138.253.109)
Completed Service scan at 10:05, 33.69s elapsed (2 services on 1 host)
NSE: Script scanning 98.138.253.109.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:05
NSE: Starting http-generator against yahoo.com (98.138.253.109:80).
NSE: Starting xmlrpc-methods against yahoo.com (98.138.253.109:443).
NSE: Starting http-git against yahoo.com (98.138.253.109:80).
NSE: Starting http-generator against yahoo.com (98.138.253.109:443).
NSE: Starting http-ls against yahoo.com (98.138.253.109:80).
NSE: Starting http-auth against yahoo.com (98.138.253.109:443).
NSE: Starting http-git against yahoo.com (98.138.253.109:443).
NSE: Starting http-svn-info against yahoo.com (98.138.253.109:443).
NSE: Starting rpc-grind against yahoo.com (98.138.253.109:80).
NSE: Starting http-methods against yahoo.com (98.138.253.109:80).
NSE: Starting sstp-discover against yahoo.com (98.138.253.109:443).
NSE: Starting ip-https-discover against yahoo.com (98.138.253.109:443).
NSE: Starting http-ls against yahoo.com (98.138.253.109:443).
NSE: Starting ssl-known-key against yahoo.com (98.138.253.109:443).
NSE: Starting ssl-date against yahoo.com (98.138.253.109:443).
NSE: Starting http-ntlm-info against yahoo.com (98.138.253.109:80).
NSE: Starting ssl-cert against yahoo.com (98.138.253.109:443).
NSE: Starting sslv2 against yahoo.com (98.138.253.109:443).
NSE: Starting http-methods against yahoo.com (98.138.253.109:443).
NSE: Starting http-cisco-anyconnect against yahoo.com (98.138.253.109:443).
NSE: Starting weblogic-t3-info against yahoo.com (98.138.253.109:80).
NSE: Starting http-ntlm-info against yahoo.com (98.138.253.109:443).
NSE: Starting skypev2-version against yahoo.com (98.138.253.109:443).
Segmentation fault (core dumped)

Note: Launching all the listed scripts in

$nmap -d --script=http-generator,xmlrpc-methods,http-git,http-generator,http-ls,http-auth,http-git,http-svn-info,rpc-grind,http-methods,sstp-discover,ip-https-discover,http-ls,ssl-known-key,ssl-date,http-ntlm-info,ssl-cert,sslv2,http-methods,http-cisco-anyconnect,weblogic-t3-info,http-ntlm-info,skypev2-version yahoo.com

Doesn't SEGFAULT.

olaure commented Oct 13, 2017

$ nmap --version
Nmap version 7.01 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.2.4 openssl-1.0.2g libpcre-8.38 libpcap-1.7.4 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

It was running as an unprivileged user, as root it doesn't crash.
As such, the commands with -sS will not execute as unprivileged user, the previous ones did not crash.

Here is the debug version of the initial command:

$ nmap -d -A yahoo.com

Starting Nmap 7.01 ( https://nmap.org ) at 2017-10-13 10:04 CEST
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.2.
NSE: Arguments from CLI: 
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:04
Completed NSE at 10:04, 0.00s elapsed
Initiating Ping Scan at 10:04
Scanning yahoo.com (98.138.253.109) [2 ports]
Completed Ping Scan at 10:04, 0.12s elapsed (1 total hosts)
Overall sending rates: 17.10 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 10:04
mass_rdns: 0.02s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 10:04, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 10:04
Scanning yahoo.com (98.138.253.109) [1000 ports]
Discovered open port 443/tcp on 98.138.253.109
Discovered open port 80/tcp on 98.138.253.109
Completed Connect Scan at 10:04, 9.53s elapsed (1000 total ports)
Overall sending rates: 210.38 packets / s.
Initiating Service scan at 10:04
Scanning 2 services on yahoo.com (98.138.253.109)
Completed Service scan at 10:05, 33.69s elapsed (2 services on 1 host)
NSE: Script scanning 98.138.253.109.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:05
NSE: Starting http-generator against yahoo.com (98.138.253.109:80).
NSE: Starting xmlrpc-methods against yahoo.com (98.138.253.109:443).
NSE: Starting http-git against yahoo.com (98.138.253.109:80).
NSE: Starting http-generator against yahoo.com (98.138.253.109:443).
NSE: Starting http-ls against yahoo.com (98.138.253.109:80).
NSE: Starting http-auth against yahoo.com (98.138.253.109:443).
NSE: Starting http-git against yahoo.com (98.138.253.109:443).
NSE: Starting http-svn-info against yahoo.com (98.138.253.109:443).
NSE: Starting rpc-grind against yahoo.com (98.138.253.109:80).
NSE: Starting http-methods against yahoo.com (98.138.253.109:80).
NSE: Starting sstp-discover against yahoo.com (98.138.253.109:443).
NSE: Starting ip-https-discover against yahoo.com (98.138.253.109:443).
NSE: Starting http-ls against yahoo.com (98.138.253.109:443).
NSE: Starting ssl-known-key against yahoo.com (98.138.253.109:443).
NSE: Starting ssl-date against yahoo.com (98.138.253.109:443).
NSE: Starting http-ntlm-info against yahoo.com (98.138.253.109:80).
NSE: Starting ssl-cert against yahoo.com (98.138.253.109:443).
NSE: Starting sslv2 against yahoo.com (98.138.253.109:443).
NSE: Starting http-methods against yahoo.com (98.138.253.109:443).
NSE: Starting http-cisco-anyconnect against yahoo.com (98.138.253.109:443).
NSE: Starting weblogic-t3-info against yahoo.com (98.138.253.109:80).
NSE: Starting http-ntlm-info against yahoo.com (98.138.253.109:443).
NSE: Starting skypev2-version against yahoo.com (98.138.253.109:443).
Segmentation fault (core dumped)

Note: Launching all the listed scripts in

$nmap -d --script=http-generator,xmlrpc-methods,http-git,http-generator,http-ls,http-auth,http-git,http-svn-info,rpc-grind,http-methods,sstp-discover,ip-https-discover,http-ls,ssl-known-key,ssl-date,http-ntlm-info,ssl-cert,sslv2,http-methods,http-cisco-anyconnect,weblogic-t3-info,http-ntlm-info,skypev2-version yahoo.com

Doesn't SEGFAULT.

@dmiller-nmap

This comment has been minimized.

Show comment
Hide comment
@dmiller-nmap

dmiller-nmap Oct 13, 2017

Does this still happen with Nmap 7.60? I can't reproduce the crash in either version.

Does either of these commands also crash?

  1. nmap -d -sV yahoo.com
  2. nmap -d --script=http-cors,http-favicon,http-robots.txt,http-svn-enum,http-title,http-webdav-scan,tls-nextprotoneg,http-server-header yahoo.com

These should be the remaining scripts in the group. When you have one that crashes, increase debug to -d3 --script-trace and we'll see if we can figure it out. But try Nmap 7.60 first, since we may have fixed the bug already.

dmiller-nmap commented Oct 13, 2017

Does this still happen with Nmap 7.60? I can't reproduce the crash in either version.

Does either of these commands also crash?

  1. nmap -d -sV yahoo.com
  2. nmap -d --script=http-cors,http-favicon,http-robots.txt,http-svn-enum,http-title,http-webdav-scan,tls-nextprotoneg,http-server-header yahoo.com

These should be the remaining scripts in the group. When you have one that crashes, increase debug to -d3 --script-trace and we'll see if we can figure it out. But try Nmap 7.60 first, since we may have fixed the bug already.

@olaure

This comment has been minimized.

Show comment
Hide comment
@olaure

olaure Oct 16, 2017

Fortunately it doesn't crash anymore with nmap 7.60-1.

Thank you for your patience and support!

olaure commented Oct 16, 2017

Fortunately it doesn't crash anymore with nmap 7.60-1.

Thank you for your patience and support!

@olaure olaure closed this Oct 16, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment