segmentation fault in hascaptures () from /usr/lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2

[HynekPetrak]

Hello,
runnning nmap -T4 -A -oA adminpc --open 10.179.244.158/23 gives me always Segmentation fault.

Core was generated by `nmap -T4 -A -oA adminpc --open 10.179.244.158/23'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f090f6ca4c7 in hascaptures () from /usr/lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2

Using the current Kali-rolling environment.

Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1c libssh2-1.8.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

[antnks]

Crashes for me too. Looks like some recursion causes stack overflow:

....
Stats: 0:03:02 elapsed; 246 hosts completed (9 up), 9 undergoing Service Scan
Service scan Timing: About 95.24% done; ETC: 09:51 (0:00:05 remaining)
Stats: 0:03:07 elapsed; 246 hosts completed (9 up), 9 undergoing Service Scan
Service scan Timing: About 95.24% done; ETC: 09:51 (0:00:05 remaining)
Stats: 0:03:12 elapsed; 246 hosts completed (9 up), 9 undergoing Service Scan
Service scan Timing: About 95.24% done; ETC: 09:51 (0:00:05 remaining)
Stats: 0:03:17 elapsed; 246 hosts completed (9 up), 9 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 09:51 (0:00:00 remaining)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff795e4c7 in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
(gdb) br
Breakpoint 1 at 0x7ffff795e4c7
(gdb) bt
#0  0x00007ffff795e4c7 in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#1  0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#2  0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#3  0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#4  0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
...
#29451 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29452 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29453 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29454 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29455 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29456 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29457 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29458 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29459 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29460 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29461 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29462 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29463 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29464 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29465 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29466 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29467 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#29468 0x00007ffff795e4cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
...

[HynekPetrak]

For me it happens relatively often, but it’s difficult to reproduce. Usually same scan restarted does not crash again.

[dmiller-nmap]

I did some research into this but forgot to write it down. This bug is unique to LPeg 1.0.2, or at least does not occur in LPeg 0.12 that Nmap ships. You should be able to remove or rename the fingerprint-strings.nse script or add --script "default and not fingerprint-strings" to your command-line to avoid this particular crash, though other scripts may crash I suppose.

A potential fix would be to prevent loading of external lpeg library, using the statically-linked one in Nmap instead. Apart from that, we should probably report this upstream and see if there's anything we can do or if it needs to be fixed there.

[ghost]

I got this or a very similar segmentation fault too (without NSE unless it's used under the hood). I've reproduced it 3/3 times with the following command on Kali Linux 2020.1:

kali@kali:~/exercises/7.2.2.9$ nmap -A -p 80,443 -iL ping_hosts.txt -oG webservers.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-27 17:52 EDT
Segmentation fault

Running nmap under strace works fine however.

GDB shows the same recursion as @antnks got:

kali@kali:~/exercises/7.2.2.9$ gdb nmap
GNU gdb (Debian 9.1-3) 9.1
Copyright (C) 2020 Free Software Foundation, Inc.                                                                     
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from nmap...
(No debugging symbols found in nmap)
(gdb) run -A -p 80,443 -iL ping_hosts.txt -oG webservers.txt
Starting program: /usr/bin/nmap -A -p 80,443 -iL ping_hosts.txt -oG webservers.txt
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-27 17:55 EDT

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff79644c7 in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
(gdb) backtrace
#0  0x00007ffff79644c7 in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#1  0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#2  0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#3  0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#4  0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#5  0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#6  0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#7  0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#8  0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#9  0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#10 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#11 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#12 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#13 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#14 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#15 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#16 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#17 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#18 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#19 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#20 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#21 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#22 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#23 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#24 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
#25 0x00007ffff79644cc in hascaptures () from /lib/x86_64-linux-gnu/liblua5.3-lpeg.so.2
--Type <RET> for more, q to quit, c to continue without paging--c

After upgrading nmap from 7.80+dfsg1-2kali1 to 7.80+dfsg1-2kali2 (and lua-lpeg from 1.0.0-2 to 1.0.2-1) I get no segmentation fault but instead the scanning seem to never terminate:

(gdb) run -A -p 80,443 -iL ping_hosts.txt -oG webserver.txt
Starting program: /usr/bin/nmap -A -p 80,443 -iL ping_hosts.txt -oG webservers.txt
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-27 19:38 EDT
Stats: 0:00:48 elapsed; 0 hosts completed (39 up), 39 undergoing Service Scan
Service scan Timing: About 96.55% done; ETC: 19:38 (0:00:02 remaining)
Stats: 0:01:09 elapsed; 0 hosts completed (39 up), 39 undergoing Service Scan
Service scan Timing: About 96.55% done; ETC: 19:39 (0:00:02 remaining)
Stats: 0:01:39 elapsed; 0 hosts completed (39 up), 39 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 19:39 (0:00:00 remaining)

Program received signal SIGINT, Interrupt.
0x00007ffff772d5e6 in epoll_wait (epfd=6, events=0x555555dbac00, maxevents=128, timeout=49)
    at ../sysdeps/unix/sysv/linux/epoll_wait.c:30
30      ../sysdeps/unix/sysv/linux/epoll_wait.c: No such file or directory.