New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crash in libssh when port 22 response is unexpected #1227

Closed
djcater opened this Issue May 27, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@djcater

djcater commented May 27, 2018

Nmap 7.70 crashes when running either of the following two scripts against an open port 22 which is not recognised as SSH: ssh-publickey-acceptance and ssh-auth-methods.

$ nmap -V 
Nmap version 7.70 ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.3.3 openssl-1.0.2g nmap-libssh2-1.8.0 libz-1.2.8 libpcre-8.38 libpcap-1.7.4 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

I managed to narrow it down to these scripts and one particular host, and created a minimised test case that can be run locally:

$ sudo ncat --listen --keep-open --exec '/bin/echo -ne \\nTest' 22
$ sudo nmap -vvv -d -sS -p22 -sV --version-light -sC --script=banner,ssh-publickey-acceptance,ssh-auth-methods -oA ssh-test localhost

This will cause a crash, sometimes with Segmentation fault or sometimes with double free or corruption. Sample output with -ddd:

Initiating NSE at 00:24
NSE: Starting ssh-auth-methods M:2a268d8 against localhost (127.0.0.1:22).
NSOCK INFO [0.7620s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.7640s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:22 (IOD #1) EID 8
NSE: Starting banner M:30514b8 against localhost (127.0.0.1:22).
NSE: Finished banner M:30514b8 against localhost (127.0.0.1:22).
Fetchfile found /usr/local/bin/../share/nmap/nselib/data/publickeydb
NSE: Starting ssh-publickey-acceptance M:2996bd8 against localhost (127.0.0.1:22).
NSE: [ssh-publickey-acceptance M:2996bd8 127.0.0.1:22] Checking key: AAAAB3NzaC1kc3MAAACBAISAE3CAX4hsxTw0dRc0gx8nQ41r3Vkj9OmG6LGeKWRmpy7C6vaExuupjxid76fd4aS56lCUEEoRlJ3zE93qoK9acI6EGqGQFLuDZ0fqMyRSX+ilf+1HDo/TRyuraggxp9Hj9LMpZVbpFATMm0+d9Xs7eLmaJjuMsowNlOf8NFdHAAAAFQCwdvqOAkR6QhuiAapQ/9iVuR0UAQAAAIBpLMo4dhSeWkChfv659WLPftxRrX/HR8YMD/jqa3R4PsVM2g6dQ1191nHugtdV7uaMeOqOJ/QRWeYM+UYwT0Zgx2LqvgVSjNDfdjk+ZRY8x3SmExFi62mKFoTGSOCXfcAfuanjaoF+sepnaiLUd+SoJShGYHoqR2QWiysTRqknlwAAAIBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrnk/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQ== for user root
NSOCK INFO [0.7640s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [0.7650s] nsock_connect_tcp(): TCP connection requested to 127.0.0.1:22 (IOD #2) EID 16
NSE: Starting fingerprint-strings M:22cf898 against localhost (127.0.0.1:22).
NSE: [fingerprint-strings M:22cf898 127.0.0.1:22] GenericLines:>>>
    Test<<<
NSE: [fingerprint-strings M:22cf898 127.0.0.1:22] GetRequest:>>>
    Test<<<
NSE: [fingerprint-strings M:22cf898 127.0.0.1:22] NULL:>>>
    Test<<<
NSE: [fingerprint-strings M:22cf898 127.0.0.1:22] SSLSessionReq:>>>
    Test<<<
NSE: [fingerprint-strings M:22cf898 127.0.0.1:22] TLSSessionReq:>>>
    Test<<<
NSE: Finished fingerprint-strings M:22cf898 against localhost (127.0.0.1:22).
NSOCK INFO [0.7660s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [127.0.0.1:22]
NSE: TCP 127.0.0.1:57076 > 127.0.0.1:22 | CONNECT
NSOCK INFO [0.7660s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 16 [127.0.0.1:22]
NSE: TCP 127.0.0.1:57078 > 127.0.0.1:22 | CONNECT
NSE: TCP 127.0.0.1:57076 > 127.0.0.1:22 | 00000000: 53 53 48 2d 32 2e 30 2d 6c 69 62 73 73 68 32 5f SSH-2.0-libssh2_
00000010: 31 2e 38 2e 30 0d 0a                            1.8.0  

NSOCK INFO [0.7660s] nsock_write(): Write request for 23 bytes to IOD #1 EID 27 [127.0.0.1:22]
NSE: TCP 127.0.0.1:57078 > 127.0.0.1:22 | 00000000: 53 53 48 2d 32 2e 30 2d 6c 69 62 73 73 68 32 5f SSH-2.0-libssh2_
00000010: 31 2e 38 2e 30 0d 0a                            1.8.0  

NSOCK INFO [0.7660s] nsock_write(): Write request for 23 bytes to IOD #2 EID 35 [127.0.0.1:22]
NSOCK INFO [0.7660s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [127.0.0.1:22]
NSE: TCP 127.0.0.1:57078 > 127.0.0.1:22 | SEND
NSOCK INFO [0.7660s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [127.0.0.1:22]
NSE: TCP 127.0.0.1:57076 > 127.0.0.1:22 | SEND
NSOCK INFO [0.7660s] nsock_read(): Read request from IOD #1 [127.0.0.1:22] (timeout: 30000ms) EID 42
NSOCK INFO [0.7660s] nsock_read(): Read request from IOD #2 [127.0.0.1:22] (timeout: 30000ms) EID 50
NSOCK INFO [0.7660s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 50 [127.0.0.1:22] (5 bytes): .Test
NSE: TCP 127.0.0.1:57078 < 127.0.0.1:22 | 00000000: 0a 54 65 73 74                                   Test

NSOCK INFO [0.7660s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 42 [127.0.0.1:22] (5 bytes): .Test
NSE: TCP 127.0.0.1:57076 < 127.0.0.1:22 | 00000000: 0a 54 65 73 74                                   Test

NSE: ssh-auth-methods M:2a268d8 against localhost (127.0.0.1:22) threw an error!
/usr/local/bin/../share/nmap/nselib/libssh2-utility.lua:36: Unable to complete libssh2 handshake.
stack traceback:
	[C]: in function 'libssh2.session_open'
	/usr/local/bin/../share/nmap/nselib/libssh2-utility.lua:36: in method 'connect'
	/usr/local/bin/../share/nmap/scripts/ssh-auth-methods.nse:33: in function </usr/local/bin/../share/nmap/scripts/ssh-auth-methods.nse:30>
	(...tail calls...)

NSE: ssh-publickey-acceptance M:2996bd8 against localhost (127.0.0.1:22) threw an error!
/usr/local/bin/../share/nmap/nselib/libssh2-utility.lua:36: Unable to complete libssh2 handshake.
stack traceback:
	[C]: in function 'libssh2.session_open'
	/usr/local/bin/../share/nmap/nselib/libssh2-utility.lua:36: in method 'connect'
	...l/bin/../share/nmap/scripts/ssh-publickey-acceptance.nse:103: in function <...l/bin/../share/nmap/scripts/ssh-publickey-acceptance.nse:51>
	(...tail calls...)

NSE: TCP 127.0.0.1:57076 > 127.0.0.1:22 | CLOSE
NSOCK INFO [0.7660s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSE: TCP 127.0.0.1:57078 > 127.0.0.1:22 | CLOSE
NSOCK INFO [0.7660s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
Completed NSE at 00:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 00:24
Completed NSE at 00:24, 0.00s elapsed
*** Error in `nmap': double free or corruption (!prev): 0x0000000003531800 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f00725cf7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f00725d837a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f00725dc53c]
nmap(libssh2_session_free+0x4b5)[0x4d6985]
nmap[0x4c04fb]
nmap[0x4fc54a]
nmap[0x4fc923]
nmap[0x4fc981]
nmap[0x4fbd6f]
nmap[0x4fcbfd]
nmap[0x4fde0f]
nmap[0x4fdec2]
nmap[0x4ff1a3]
nmap[0x4ff718]
nmap(lua_gc+0x7f)[0x4fa38f]
nmap[0x50f63f]
nmap[0x4fc54a]
nmap[0x507cdd]
nmap[0x4fc92f]
nmap[0x4fc981]
nmap(lua_callk+0x3c)[0x4fa07c]
nmap[0x4adbf9]
nmap[0x4fc54a]
nmap[0x4fc923]
nmap[0x4fc981]
nmap[0x4fbd6f]
nmap[0x4fcbfd]
nmap(lua_pcallk+0x7f)[0x4fa14f]
nmap(_Z11script_scanRSt6vectorIP6TargetSaIS1_EE5stype+0x74)[0x4af114]
nmap(_Z9nmap_mainiPPc+0xfbe)[0x459a0e]
nmap(main+0x17b)[0x43041b]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0072578830]
nmap(_start+0x29)[0x4304b9]
======= Memory map: ========
00400000-0057a000 r-xp 00000000 fd:02 528111                             /usr/local/bin/nmap
00779000-0077a000 r--p 00179000 fd:02 528111                             /usr/local/bin/nmap
0077a000-00906000 rw-p 0017a000 fd:02 528111                             /usr/local/bin/nmap
00906000-0092d000 rw-p 00000000 00:00 0 
0194e000-0355f000 rw-p 00000000 00:00 0                                  [heap]
7f006c000000-7f006c021000 rw-p 00000000 00:00 0 
7f006c021000-7f0070000000 ---p 00000000 00:00 0 
7f007180b000-7f007188c000 rw-p 00000000 00:00 0 
7f007188c000-7f0071897000 r-xp 00000000 fd:02 424803                     /lib/x86_64-linux-gnu/libnss_files-2.23.so
7f0071897000-7f0071a96000 ---p 0000b000 fd:02 424803                     /lib/x86_64-linux-gnu/libnss_files-2.23.so
7f0071a96000-7f0071a97000 r--p 0000a000 fd:02 424803                     /lib/x86_64-linux-gnu/libnss_files-2.23.so
7f0071a97000-7f0071a98000 rw-p 0000b000 fd:02 424803                     /lib/x86_64-linux-gnu/libnss_files-2.23.so
7f0071a98000-7f0071a9e000 rw-p 00000000 00:00 0 
7f0071a9e000-7f0071aa9000 r-xp 00000000 fd:02 424807                     /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7f0071aa9000-7f0071ca8000 ---p 0000b000 fd:02 424807                     /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7f0071ca8000-7f0071ca9000 r--p 0000a000 fd:02 424807                     /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7f0071ca9000-7f0071caa000 rw-p 0000b000 fd:02 424807                     /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7f0071caa000-7f0071cc0000 r-xp 00000000 fd:02 394276                     /lib/x86_64-linux-gnu/libnsl-2.23.so
7f0071cc0000-7f0071ebf000 ---p 00016000 fd:02 394276                     /lib/x86_64-linux-gnu/libnsl-2.23.so
7f0071ebf000-7f0071ec0000 r--p 00015000 fd:02 394276                     /lib/x86_64-linux-gnu/libnsl-2.23.so
7f0071ec0000-7f0071ec1000 rw-p 00016000 fd:02 394276                     /lib/x86_64-linux-gnu/libnsl-2.23.so
7f0071ec1000-7f0071ec3000 rw-p 00000000 00:00 0 
7f0071ec3000-7f0071ecb000 r-xp 00000000 fd:02 424798                     /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7f0071ecb000-7f00720ca000 ---p 00008000 fd:02 424798                     /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7f00720ca000-7f00720cb000 r--p 00007000 fd:02 424798                     /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7f00720cb000-7f00720cc000 rw-p 00008000 fd:02 424798                     /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7f00720cc000-7f007213a000 r-xp 00000000 fd:02 530738                     /usr/lib/libblas/libblas.so.3.6.0
7f007213a000-7f0072339000 ---p 0006e000 fd:02 530738                     /usr/lib/libblas/libblas.so.3.6.0
7f0072339000-7f007233a000 r--p 0006d000 fd:02 530738                     /usr/lib/libblas/libblas.so.3.6.0
7f007233a000-7f007233b000 rw-p 0006e000 fd:02 530738                     /usr/lib/libblas/libblas.so.3.6.0
7f007233b000-7f0072353000 r-xp 00000000 fd:02 424777                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7f0072353000-7f0072552000 ---p 00018000 fd:02 424777                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7f0072552000-7f0072553000 r--p 00017000 fd:02 424777                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7f0072553000-7f0072554000 rw-p 00018000 fd:02 424777                     /lib/x86_64-linux-gnu/libpthread-2.23.so
7f0072554000-7f0072558000 rw-p 00000000 00:00 0 
7f0072558000-7f0072718000 r-xp 00000000 fd:02 424778                     /lib/x86_64-linux-gnu/libc-2.23.so
7f0072718000-7f0072918000 ---p 001c0000 fd:02 424778                     /lib/x86_64-linux-gnu/libc-2.23.so
7f0072918000-7f007291c000 r--p 001c0000 fd:02 424778                     /lib/x86_64-linux-gnu/libc-2.23.so
7f007291c000-7f007291e000 rw-p 001c4000 fd:02 424778                     /lib/x86_64-linux-gnu/libc-2.23.so
7f007291e000-7f0072922000 rw-p 00000000 00:00 0 
7f0072922000-7f0072938000 r-xp 00000000 fd:02 396163                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0072938000-7f0072b37000 ---p 00016000 fd:02 396163                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0072b37000-7f0072b38000 rw-p 00015000 fd:02 396163                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f0072b38000-7f0072c40000 r-xp 00000000 fd:02 394266                     /lib/x86_64-linux-gnu/libm-2.23.so
7f0072c40000-7f0072e3f000 ---p 00108000 fd:02 394266                     /lib/x86_64-linux-gnu/libm-2.23.so
7f0072e3f000-7f0072e40000 r--p 00107000 fd:02 394266                     /lib/x86_64-linux-gnu/libm-2.23.so
7f0072e40000-7f0072e41000 rw-p 00108000 fd:02 394266                     /lib/x86_64-linux-gnu/libm-2.23.so
7f0072e41000-7f0072fb3000 r-xp 00000000 fd:02 658175                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7f0072fb3000-7f00731b3000 ---p 00172000 fd:02 658175                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7f00731b3000-7f00731bd000 r--p 00172000 fd:02 658175                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7f00731bd000-7f00731bf000 rw-p 0017c000 fd:02 658175                     /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
7f00731bf000-7f00731c3000 rw-p 00000000 00:00 0 
7f00731c3000-7f00731c6000 r-xp 00000000 fd:02 424787                     /lib/x86_64-linux-gnu/libdl-2.23.so
7f00731c6000-7f00733c5000 ---p 00003000 fd:02 424787                     /lib/x86_64-linux-gnu/libdl-2.23.so
7f00733c5000-7f00733c6000 r--p 00002000 fd:02 424787                     /lib/x86_64-linux-gnu/libdl-2.23.so
7f00733c6000-7f00733c7000 rw-p 00003000 fd:02 424787                     /lib/x86_64-linux-gnu/libdl-2.23.so
7f00733c7000-7f00733d5000 r-xp 00000000 fd:02 671813                     /usr/lib/x86_64-linux-gnu/liblinear.so.3.2.
7f00733d5000-7f00735d4000 ---p 0000e000 fd:02 671813                     /usr/lib/x86_64-linux-gnu/liblinear.so.3.2.
7f00735d4000-7f00735d5000 r--p 0000d000 fd:02 671813                     /usr/lib/x86_64-linux-gnu/liblinear.so.3.2.
7f00735d5000-7f00735d6000 rw-p 0000e000 fd:02 671813                     /usr/lib/x86_64-linux-gnu/liblinear.so.3.2.
7f00735d6000-7f00735ef000 r-xp 00000000 fd:02 393532                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7f00735ef000-7f00737ee000 ---p 00019000 fd:02 393532                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7f00737ee000-7f00737ef000 r--p 00018000 fd:02 393532                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7f00737ef000-7f00737f0000 rw-p 00019000 fd:02 393532                     /lib/x86_64-linux-gnu/libz.so.1.2.8
7f00737f0000-7f0073a0a000 r-xp 00000000 fd:02 406384                     /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f0073a0a000-7f0073c09000 ---p 0021a000 fd:02 406384                     /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f0073c09000-7f0073c25000 r--p 00219000 fd:02 406384                     /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f0073c25000-7f0073c31000 rw-p 00235000 fd:02 406384                     /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f0073c31000-7f0073c34000 rw-p 00000000 00:00 0 
7f0073c34000-7f0073c92000 r-xp 00000000 fd:02 406383                     /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f0073c92000-7f0073e92000 ---p 0005e000 fd:02 406383                     /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f0073e92000-7f0073e96000 r--p 0005e000 fd:02 406383                     /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f0073e96000-7f0073e9d000 rw-p 00062000 fd:02 406383                     /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f0073e9d000-7f0073edb000 r-xp 00000000 fd:02 657313                     /usr/lib/x86_64-linux-gnu/libpcap.so.1.7.4
7f0073edb000-7f00740db000 ---p 0003e000 fd:02 657313                     /usr/lib/x86_64-linux-gnu/libpcap.so.1.7.4
7f00740db000-7f00740dd000 r--p 0003e000 fd:02 657313                     /usr/lib/x86_64-linux-gnu/libpcap.so.1.7.4
7f00740dd000-7f00740de000 rw-p 00040000 fd:02 657313                     /usr/lib/x86_64-linux-gnu/libpcap.so.1.7.4
7f00740de000-7f00740df000 rw-p 00000000 00:00 0 
7f00740df000-7f007414d000 r-xp 00000000 fd:02 394255                     /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7f007414d000-7f007434d000 ---p 0006e000 fd:02 394255                     /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7f007434d000-7f007434e000 r--p 0006e000 fd:02 394255                     /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7f007434e000-7f007434f000 rw-p 0006f000 fd:02 394255                     /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7f007434f000-7f0074375000 r-xp 00000000 fd:02 396149                     /lib/x86_64-linux-gnu/ld-2.23.so
7f0074476000-7f0074542000 rw-p 00000000 00:00 0 
7f0074552000-7f0074574000 rw-p 00000000 00:00 0 
7f0074574000-7f0074575000 r--p 00025000 fd:02 396149                     /lib/x86_64-linux-gnu/ld-2.23.so
7f0074575000-7f0074576000 rw-p 00026000 fd:02 396149                     /lib/x86_64-linux-gnu/ld-2.23.so
7f0074576000-7f0074577000 rw-p 00000000 00:00 0 
7ffee42ee000-7ffee430f000 rw-p 00000000 00:00 0                          [stack]
7ffee431a000-7ffee431d000 r--p 00000000 00:00 0                          [vvar]
7ffee431d000-7ffee431f000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

If I disable those two scripts, then Nmap doesn't crash, and the host output looks like:

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh?    syn-ack ttl 64
|_banner: Test
| fingerprint-strings: 
|   GenericLines, GetRequest, NULL, SSLSessionReq, TLSSessionReq: 
|_    Test

Hope that helps in diagnosing the issue.

Please can you look into it?

@djcater

This comment has been minimized.

djcater commented Aug 2, 2018

@edeirme @sergeykhegay: Any ideas on the above testcase and output given your previous involvement with libssh in Nmap?

@djcater

This comment has been minimized.

djcater commented Dec 1, 2018

This seems to have been fixed by @bonsaiviking / @dmiller-nmap in 350bbe0. Thanks!

@djcater djcater closed this Dec 1, 2018

@dmiller-nmap

This comment has been minimized.

dmiller-nmap commented Dec 2, 2018

Glad I could help! I ran into the same problem myself, but I had forgotten about this bug report. I thought maybe nobody else had experienced the crash. I'll put it into the changelog with reference to this issue.

nmap-bot pushed a commit that referenced this issue Dec 2, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment