Crash in libssh when port 22 response is unexpected #1227
Description
Nmap 7.70 crashes when running either of the following two scripts against an open port 22 which is not recognised as SSH: ssh-publickey-acceptance and ssh-auth-methods.
$ nmap -V
Nmap version 7.70 ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.3.3 openssl-1.0.2g nmap-libssh2-1.8.0 libz-1.2.8 libpcre-8.38 libpcap-1.7.4 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
I managed to narrow it down to these scripts and one particular host, and created a minimised test case that can be run locally:
$ sudo ncat --listen --keep-open --exec '/bin/echo -ne \\nTest' 22
$ sudo nmap -vvv -d -sS -p22 -sV --version-light -sC --script=banner,ssh-publickey-acceptance,ssh-auth-methods -oA ssh-test localhost
This will cause a crash, sometimes with Segmentation fault or sometimes with double free or corruption. Sample output with -ddd:
Initiating NSE at 00:24
NSE: Starting ssh-auth-methods M:2a268d8 against localhost (127.0.0.1:22).
NSOCK INFO [0.7620s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.7640s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:22 (IOD #1) EID 8
NSE: Starting banner M:30514b8 against localhost (127.0.0.1:22).
NSE: Finished banner M:30514b8 against localhost (127.0.0.1:22).
Fetchfile found /usr/local/bin/../share/nmap/nselib/data/publickeydb
NSE: Starting ssh-publickey-acceptance M:2996bd8 against localhost (127.0.0.1:22).
NSE: [ssh-publickey-acceptance M:2996bd8 127.0.0.1:22] Checking key: AAAAB3NzaC1kc3MAAACBAISAE3CAX4hsxTw0dRc0gx8nQ41r3Vkj9OmG6LGeKWRmpy7C6vaExuupjxid76fd4aS56lCUEEoRlJ3zE93qoK9acI6EGqGQFLuDZ0fqMyRSX+ilf+1HDo/TRyuraggxp9Hj9LMpZVbpFATMm0+d9Xs7eLmaJjuMsowNlOf8NFdHAAAAFQCwdvqOAkR6QhuiAapQ/9iVuR0UAQAAAIBpLMo4dhSeWkChfv659WLPftxRrX/HR8YMD/jqa3R4PsVM2g6dQ1191nHugtdV7uaMeOqOJ/QRWeYM+UYwT0Zgx2LqvgVSjNDfdjk+ZRY8x3SmExFi62mKFoTGSOCXfcAfuanjaoF+sepnaiLUd+SoJShGYHoqR2QWiysTRqknlwAAAIBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrnk/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQ== for user root
NSOCK INFO [0.7640s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [0.7650s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:22 (IOD #2) EID 16
NSE: Starting fingerprint-strings M:22cf898 against localhost (127.0.0.1:22).
NSE: [fingerprint-strings M:22cf898 127.0.0.1:22] GenericLines:>>>
Test<<<
NSE: [fingerprint-strings M:22cf898 127.0.0.1:22] GetRequest:>>>
Test<<<
NSE: [fingerprint-strings M:22cf898 127.0.0.1:22] NULL:>>>
Test<<<
NSE: [fingerprint-strings M:22cf898 127.0.0.1:22] SSLSessionReq:>>>
Test<<<
NSE: [fingerprint-strings M:22cf898 127.0.0.1:22] TLSSessionReq:>>>
Test<<<
NSE: Finished fingerprint-strings M:22cf898 against localhost (127.0.0.1:22).
NSOCK INFO [0.7660s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [127.0.0.1:22]
NSE: TCP 127.0.0.1:57076 > 127.0.0.1:22 | CONNECT
NSOCK INFO [0.7660s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 16 [127.0.0.1:22]
NSE: TCP 127.0.0.1:57078 > 127.0.0.1:22 | CONNECT
NSE: TCP 127.0.0.1:57076 > 127.0.0.1:22 | 00000000: 53 53 48 2d 32 2e 30 2d 6c 69 62 73 73 68 32 5f SSH-2.0-libssh2_
00000010: 31 2e 38 2e 30 0d 0a 1.8.0
NSOCK INFO [0.7660s] nsock_write(): Write request for 23 bytes to IOD #1 EID 27 [127.0.0.1:22]
NSE: TCP 127.0.0.1:57078 > 127.0.0.1:22 | 00000000: 53 53 48 2d 32 2e 30 2d 6c 69 62 73 73 68 32 5f SSH-2.0-libssh2_
00000010: 31 2e 38 2e 30 0d 0a 1.8.0
NSOCK INFO [0.7660s] nsock_write(): Write request for 23 bytes to IOD #2 EID 35 [127.0.0.1:22]
NSOCK INFO [0.7660s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [127.0.0.1:22]
NSE: TCP 127.0.0.1:57078 > 127.0.0.1:22 | SEND
NSOCK INFO [0.7660s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [127.0.0.1:22]
NSE: TCP 127.0.0.1:57076 > 127.0.0.1:22 | SEND
NSOCK INFO [0.7660s] nsock_read(): Read request from IOD #1 [127.0.0.1:22] (timeout: 30000ms) EID 42
NSOCK INFO [0.7660s] nsock_read(): Read request from IOD #2 [127.0.0.1:22] (timeout: 30000ms) EID 50
NSOCK INFO [0.7660s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 50 [127.0.0.1:22] (5 bytes): .Test
NSE: TCP 127.0.0.1:57078 < 127.0.0.1:22 | 00000000: 0a 54 65 73 74 Test
NSOCK INFO [0.7660s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 42 [127.0.0.1:22] (5 bytes): .Test
NSE: TCP 127.0.0.1:57076 < 127.0.0.1:22 | 00000000: 0a 54 65 73 74 Test
NSE: ssh-auth-methods M:2a268d8 against localhost (127.0.0.1:22) threw an error!
/usr/local/bin/../share/nmap/nselib/libssh2-utility.lua:36: Unable to complete libssh2 handshake.
stack traceback:
[C]: in function 'libssh2.session_open'
/usr/local/bin/../share/nmap/nselib/libssh2-utility.lua:36: in method 'connect'
/usr/local/bin/../share/nmap/scripts/ssh-auth-methods.nse:33: in function </usr/local/bin/../share/nmap/scripts/ssh-auth-methods.nse:30>
(...tail calls...)
NSE: ssh-publickey-acceptance M:2996bd8 against localhost (127.0.0.1:22) threw an error!
/usr/local/bin/../share/nmap/nselib/libssh2-utility.lua:36: Unable to complete libssh2 handshake.
stack traceback:
[C]: in function 'libssh2.session_open'
/usr/local/bin/../share/nmap/nselib/libssh2-utility.lua:36: in method 'connect'
...l/bin/../share/nmap/scripts/ssh-publickey-acceptance.nse:103: in function <...l/bin/../share/nmap/scripts/ssh-publickey-acceptance.nse:51>
(...tail calls...)
NSE: TCP 127.0.0.1:57076 > 127.0.0.1:22 | CLOSE
NSOCK INFO [0.7660s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSE: TCP 127.0.0.1:57078 > 127.0.0.1:22 | CLOSE
NSOCK INFO [0.7660s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
Completed NSE at 00:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 00:24
Completed NSE at 00:24, 0.00s elapsed
*** Error in `nmap': double free or corruption (!prev): 0x0000000003531800 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f00725cf7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f00725d837a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f00725dc53c]
nmap(libssh2_session_free+0x4b5)[0x4d6985]
nmap[0x4c04fb]
nmap[0x4fc54a]
nmap[0x4fc923]
nmap[0x4fc981]
nmap[0x4fbd6f]
nmap[0x4fcbfd]
nmap[0x4fde0f]
nmap[0x4fdec2]
nmap[0x4ff1a3]
nmap[0x4ff718]
nmap(lua_gc+0x7f)[0x4fa38f]
nmap[0x50f63f]
nmap[0x4fc54a]
nmap[0x507cdd]
nmap[0x4fc92f]
nmap[0x4fc981]
nmap(lua_callk+0x3c)[0x4fa07c]
nmap[0x4adbf9]
nmap[0x4fc54a]
nmap[0x4fc923]
nmap[0x4fc981]
nmap[0x4fbd6f]
nmap[0x4fcbfd]
nmap(lua_pcallk+0x7f)[0x4fa14f]
nmap(_Z11script_scanRSt6vectorIP6TargetSaIS1_EE5stype+0x74)[0x4af114]
nmap(_Z9nmap_mainiPPc+0xfbe)[0x459a0e]
nmap(main+0x17b)[0x43041b]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0072578830]
nmap(_start+0x29)[0x4304b9]
======= Memory map: ========
00400000-0057a000 r-xp 00000000 fd:02 528111 /usr/local/bin/nmap
00779000-0077a000 r--p 00179000 fd:02 528111 /usr/local/bin/nmap
0077a000-00906000 rw-p 0017a000 fd:02 528111 /usr/local/bin/nmap
00906000-0092d000 rw-p 00000000 00:00 0
0194e000-0355f000 rw-p 00000000 00:00 0 [heap]
7f006c000000-7f006c021000 rw-p 00000000 00:00 0
7f006c021000-7f0070000000 ---p 00000000 00:00 0
7f007180b000-7f007188c000 rw-p 00000000 00:00 0
7f007188c000-7f0071897000 r-xp 00000000 fd:02 424803 /lib/x86_64-linux-gnu/libnss_files-2.23.so
7f0071897000-7f0071a96000 ---p 0000b000 fd:02 424803 /lib/x86_64-linux-gnu/libnss_files-2.23.so
7f0071a96000-7f0071a97000 r--p 0000a000 fd:02 424803 /lib/x86_64-linux-gnu/libnss_files-2.23.so
7f0071a97000-7f0071a98000 rw-p 0000b000 fd:02 424803 /lib/x86_64-linux-gnu/libnss_files-2.23.so
7f0071a98000-7f0071a9e000 rw-p 00000000 00:00 0
7f0071a9e000-7f0071aa9000 r-xp 00000000 fd:02 424807 /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7f0071aa9000-7f0071ca8000 ---p 0000b000 fd:02 424807 /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7f0071ca8000-7f0071ca9000 r--p 0000a000 fd:02 424807 /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7f0071ca9000-7f0071caa000 rw-p 0000b000 fd:02 424807 /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7f0071caa000-7f0071cc0000 r-xp 00000000 fd:02 394276 /lib/x86_64-linux-gnu/libnsl-2.23.so
7f0071cc0000-7f0071ebf000 ---p 00016000 fd:02 394276 /lib/x86_64-linux-gnu/libnsl-2.23.so
7f0071ebf000-7f0071ec0000 r--p 00015000 fd:02 394276 /lib/x86_64-linux-gnu/libnsl-2.23.so
7f0071ec0000-7f0071ec1000 rw-p 00016000 fd:02 394276 /lib/x86_64-linux-gnu/libnsl-2.23.so
7f0071ec1000-7f0071ec3000 rw-p 00000000 00:00 0
7f0071ec3000-7f0071ecb000 r-xp 00000000 fd:02 424798 /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7f0071ecb000-7f00720ca000 ---p 00008000 fd:02 424798 /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7f00720ca000-7f00720cb000 r--p 00007000 fd:02 424798 /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7f00720cb000-7f00720cc000 rw-p 00008000 fd:02 424798 /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7f00720cc000-7f007213a000 r-xp 00000000 fd:02 530738 /usr/lib/libblas/libblas.so.3.6.0
7f007213a000-7f0072339000 ---p 0006e000 fd:02 530738 /usr/lib/libblas/libblas.so.3.6.0
7f0072339000-7f007233a000 r--p 0006d000 fd:02 530738 /usr/lib/libblas/libblas.so.3.6.0
7f007233a000-7f007233b000 rw-p 0006e000 fd:02 530738 /usr/lib/libblas/libblas.so.3.6.0
7f007233b000-7f0072353000 r-xp 00000000 fd:02 424777 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f0072353000-7f0072552000 ---p 00018000 fd:02 424777 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f0072552000-7f0072553000 r--p 00017000 fd:02 424777 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f0072553000-7f0072554000 rw-p 00018000 fd:02 424777 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f0072554000-7f0072558000 rw-p 00000000 00:00 0
7f0072558000-7f0072718000 r-xp 00000000 fd:02 424778 /lib/x86_64-linux-gnu/libc-2.23.so
7f0072718000-7f0072918000 ---p 001c0000 fd:02 424778 /lib/x86_64-linux-gnu/libc-2.23.so
7f0072918000-7f007291c000 r--p 001c0000 fd:02 424778 /lib/x86_64-linux-gnu/libc-2.23.so
7f007291c000-7f007291e000 rw-p 001c4000 fd:02 424778 /lib/x86_64-linux-gnu/libc-2.23.so
7f007291e000-7f0072922000 rw-p 00000000 00:00 0
7f0072922000-7f0072938000 r-xp 00000000 fd:02 396163 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0072938000-7f0072b37000 ---p 00016000 fd:02 396163 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0072b37000-7f0072b38000 rw-p 00015000 fd:02 396163 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0072b38000-7f0072c40000 r-xp 00000000 fd:02 394266 /lib/x86_64-linux-gnu/libm-2.23.so
7f0072c40000-7f0072e3f000 ---p 00108000 fd:02 394266 /lib/x86_64-linux-gnu/libm-2.23.so
7f0072e3f000-7f0072e40000 r--p 00107000 fd:02 394266 /lib/x86_64-linux-gnu/libm-2.23.so
7f0072e40000-7f0072e41000 rw-p 00108000 fd:02 394266 /lib/x86_64-linux-gnu/libm-2.23.so
7f0072e41000-7f0072fb3000 r-xp 00000000 fd:02 658175 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7f0072fb3000-7f00731b3000 ---p 00172000 fd:02 658175 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7f00731b3000-7f00731bd000 r--p 00172000 fd:02 658175 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7f00731bd000-7f00731bf000 rw-p 0017c000 fd:02 658175 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7f00731bf000-7f00731c3000 rw-p 00000000 00:00 0
7f00731c3000-7f00731c6000 r-xp 00000000 fd:02 424787 /lib/x86_64-linux-gnu/libdl-2.23.so
7f00731c6000-7f00733c5000 ---p 00003000 fd:02 424787 /lib/x86_64-linux-gnu/libdl-2.23.so
7f00733c5000-7f00733c6000 r--p 00002000 fd:02 424787 /lib/x86_64-linux-gnu/libdl-2.23.so
7f00733c6000-7f00733c7000 rw-p 00003000 fd:02 424787 /lib/x86_64-linux-gnu/libdl-2.23.so
7f00733c7000-7f00733d5000 r-xp 00000000 fd:02 671813 /usr/lib/x86_64-linux-gnu/liblinear.so.3.2.
7f00733d5000-7f00735d4000 ---p 0000e000 fd:02 671813 /usr/lib/x86_64-linux-gnu/liblinear.so.3.2.
7f00735d4000-7f00735d5000 r--p 0000d000 fd:02 671813 /usr/lib/x86_64-linux-gnu/liblinear.so.3.2.
7f00735d5000-7f00735d6000 rw-p 0000e000 fd:02 671813 /usr/lib/x86_64-linux-gnu/liblinear.so.3.2.
7f00735d6000-7f00735ef000 r-xp 00000000 fd:02 393532 /lib/x86_64-linux-gnu/libz.so.1.2.8
7f00735ef000-7f00737ee000 ---p 00019000 fd:02 393532 /lib/x86_64-linux-gnu/libz.so.1.2.8
7f00737ee000-7f00737ef000 r--p 00018000 fd:02 393532 /lib/x86_64-linux-gnu/libz.so.1.2.8
7f00737ef000-7f00737f0000 rw-p 00019000 fd:02 393532 /lib/x86_64-linux-gnu/libz.so.1.2.8
7f00737f0000-7f0073a0a000 r-xp 00000000 fd:02 406384 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f0073a0a000-7f0073c09000 ---p 0021a000 fd:02 406384 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f0073c09000-7f0073c25000 r--p 00219000 fd:02 406384 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f0073c25000-7f0073c31000 rw-p 00235000 fd:02 406384 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f0073c31000-7f0073c34000 rw-p 00000000 00:00 0
7f0073c34000-7f0073c92000 r-xp 00000000 fd:02 406383 /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f0073c92000-7f0073e92000 ---p 0005e000 fd:02 406383 /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f0073e92000-7f0073e96000 r--p 0005e000 fd:02 406383 /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f0073e96000-7f0073e9d000 rw-p 00062000 fd:02 406383 /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f0073e9d000-7f0073edb000 r-xp 00000000 fd:02 657313 /usr/lib/x86_64-linux-gnu/libpcap.so.1.7.4
7f0073edb000-7f00740db000 ---p 0003e000 fd:02 657313 /usr/lib/x86_64-linux-gnu/libpcap.so.1.7.4
7f00740db000-7f00740dd000 r--p 0003e000 fd:02 657313 /usr/lib/x86_64-linux-gnu/libpcap.so.1.7.4
7f00740dd000-7f00740de000 rw-p 00040000 fd:02 657313 /usr/lib/x86_64-linux-gnu/libpcap.so.1.7.4
7f00740de000-7f00740df000 rw-p 00000000 00:00 0
7f00740df000-7f007414d000 r-xp 00000000 fd:02 394255 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7f007414d000-7f007434d000 ---p 0006e000 fd:02 394255 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7f007434d000-7f007434e000 r--p 0006e000 fd:02 394255 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7f007434e000-7f007434f000 rw-p 0006f000 fd:02 394255 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7f007434f000-7f0074375000 r-xp 00000000 fd:02 396149 /lib/x86_64-linux-gnu/ld-2.23.so
7f0074476000-7f0074542000 rw-p 00000000 00:00 0
7f0074552000-7f0074574000 rw-p 00000000 00:00 0
7f0074574000-7f0074575000 r--p 00025000 fd:02 396149 /lib/x86_64-linux-gnu/ld-2.23.so
7f0074575000-7f0074576000 rw-p 00026000 fd:02 396149 /lib/x86_64-linux-gnu/ld-2.23.so
7f0074576000-7f0074577000 rw-p 00000000 00:00 0
7ffee42ee000-7ffee430f000 rw-p 00000000 00:00 0 [stack]
7ffee431a000-7ffee431d000 r--p 00000000 00:00 0 [vvar]
7ffee431d000-7ffee431f000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
If I disable those two scripts, then Nmap doesn't crash, and the host output looks like:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh? syn-ack ttl 64
|_banner: Test
| fingerprint-strings:
| GenericLines, GetRequest, NULL, SSLSessionReq, TLSSessionReq:
|_ Test
Hope that helps in diagnosing the issue.
Please can you look into it?