Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assertion `lua_status(L) == LUA_YIELD' failed for 7.8 #1837

Closed
JustOneMoreDog opened this issue Nov 24, 2019 · 5 comments
Closed

Assertion `lua_status(L) == LUA_YIELD' failed for 7.8 #1837

JustOneMoreDog opened this issue Nov 24, 2019 · 5 comments
Assignees

Comments

@JustOneMoreDog
Copy link

Hello There

I have been been getting the following error whenever I try to do nmap vulnerability scans. I am able to replicate the issue on both x64 and x32. Both tests were done on a fresh install.

root@kali:~# nmap --version
Nmap version 7.80 ( https://nmap.org )
Platform: i686-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1d libssh2-1.8.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
root@kali:~# nmap -vv --reason -Pn -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "/root/test/observer/results/1.1.1.1/scans/tcp_
139_smb_nmap.txt" -oX "/root/test/observer/results/1.1.1.1/scans/xml/tcp_139_smb_nmap.xml" 1.1.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-24 08:42 EST
NSE: Loaded 84 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:42
Completed NSE at 08:42, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:42
Completed NSE at 08:42, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:42
Completed NSE at 08:42, 0.00s elapsed
Initiating ARP Ping Scan at 08:42
Scanning 10.11.1.218 [1 port]
Completed ARP Ping Scan at 08:42, 0.17s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:42
Completed Parallel DNS resolution of 1 host. at 08:42, 0.00s elapsed
Initiating SYN Stealth Scan at 08:42
Scanning 10.11.1.218 [1 port]
Discovered open port 139/tcp on 10.11.1.218
Completed SYN Stealth Scan at 08:42, 0.18s elapsed (1 total ports)
Initiating Service scan at 08:42
Scanning 1 service on 10.11.1.218
Completed Service scan at 08:42, 6.59s elapsed (1 service on 1 host)
NSE: Script scanning 10.11.1.218.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:42
NSE Timing: About 97.14% done; ETC: 08:43 (0:00:01 remaining)
NSE Timing: About 97.14% done; ETC: 08:43 (0:00:02 remaining)
NSE Timing: About 97.14% done; ETC: 08:44 (0:00:03 remaining)
NSE Timing: About 97.14% done; ETC: 08:44 (0:00:04 remaining)
NSE Timing: About 97.14% done; ETC: 08:45 (0:00:04 remaining)
Completed NSE at 08:45, 161.70s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:45
nmap: nse_nsock.cc:369: void callback(nsock_pool, nsock_event, void*): Assertion `lua_status(L) == LUA_YIELD' failed.
Aborted

However, I am able to run the above scan on previous versions of Nmap

root@kali:~# nmap --version
Nmap version 7.70 ( https://nmap.org )
Platform: i686-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.0h libssh2-1.8.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
root@kali:~# nmap -vv --reason -Pn -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/root/test/observer/results/1.1.1.1/scans/tcp_139_smb_nmap.txt" -oX "/root/test/observer/results/1.1.1.1/scans/xml/tcp_139_smb_nmap.xml" 1.1.1.1
Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-24 09:16 EST
NSE: Loaded 80 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:16
Completed NSE at 09:16, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 09:16
Completed NSE at 09:16, 0.00s elapsed
Initiating ARP Ping Scan at 09:16
Scanning 1.1.1.1 [1 port]
Completed ARP Ping Scan at 09:16, 0.17s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:16
Completed Parallel DNS resolution of 1 host. at 09:16, 0.00s elapsed
Initiating SYN Stealth Scan at 09:16
Scanning 1.1.1.1 [1 port]
Discovered open port 139/tcp on 1.1.1.1
Completed SYN Stealth Scan at 09:16, 0.18s elapsed (1 total ports)
Initiating Service scan at 09:16
Scanning 1 service on 1.1.1.1
Completed Service scan at 09:16, 6.58s elapsed (1 service on 1 host)
NSE: Script scanning 1.1.1.1.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:16
NSE Timing: About 97.33% done; ETC: 09:16 (0:00:01 remaining)
NSE Timing: About 97.33% done; ETC: 09:17 (0:00:02 remaining)
NSE Timing: About 97.33% done; ETC: 09:17 (0:00:02 remaining)
NSE Timing: About 97.33% done; ETC: 09:18 (0:00:03 remaining)
NSE Timing: About 97.33% done; ETC: 09:18 (0:00:04 remaining)
Completed NSE at 09:18, 160.37s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 09:18
Completed NSE at 09:19, 3.49s elapsed
Nmap scan report for 1.1.1.1
Host is up, received arp-response (0.14s latency).
Scanned at 2019-11-24 09:16:09 EST for 171s

PORT    STATE SERVICE     REASON          VERSION
139/tcp open  netbios-ssn syn-ack ttl 128 Windows 7 Professional 7601 Service Pack 1 netbios-ssn
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:50:56:B8:58:B5 (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat: NetBIOS name: testhost, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b8:58:b5 (VMware)
| Names:
|   testhost<00>         Flags: <unique><active>
|   domain<00>            Flags: <group><active>
|   testhost<20>         Flags: <unique><active>
|   domain<1e>            Flags: <group><active>
| Statistics:
|   00 50 56 b8 58 b5 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| smb-enum-shares:
|   note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
|   account_used: <blank>
|   \\1.1.1.1\ADMIN$:
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: <none>
|   \\1.1.1.1\C$:
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|     Anonymous access: <none>
|   \\1.1.1.1\IPC$:
|     warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|_    Anonymous access: READ
|_smb-mbenum: Not a master or backup browser
| smb-os-discovery:
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: testhost
|   NetBIOS computer name: testhost\x00
|   Domain name: localhost.local
|   Forest name: localhost.local
|   FQDN: testhost.localhost.local
|_  System time: 2013-12-27T23:37:12-08:00
|_smb-print-text: false
| smb-protocols:
|   dialects:
|     NT LM 0.12 (SMBv1) [dangerous, but default]
|     2.02
|_    2.10
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms17-010: This system is patched.
| smb2-capabilities:
|   2.02:
|     Distributed File System
|   2.10:
|     Distributed File System
|_    Leasing
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2013-12-28 02:37:13
|_  start_date: 2013-12-27 16:08:06

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 09:19
Completed NSE at 09:19, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 09:19
Completed NSE at 09:19, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 171.56 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

If I forgot and or need more information, please let me know. Thank you for taking a look at this

@bridge-four
Copy link

same issue here

@djcater
Copy link

djcater commented Dec 11, 2019

I have also just encountered this issue with Nmap 7.80SVN compiled from trunk last week.

$ nmap -V 
Nmap version 7.80SVN ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1 nmap-libssh2-1.9.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

I did have debugging level 1 enabled, and this is the error:

NSE: smb-ls against xxx.example.com (10.xxx.xxx.xxx) threw an error!
/usr/local/bin/../share/nmap/scripts/smb-ls.nse:134: /usr/local/bin/../share/nmap/nselib/smb.lua:817: Invalid reuse of a socket from one thread to another.
stack traceback:
	[C]: in function 'error'
	/usr/local/bin/../share/nmap/nse_main.lua:207: in function </usr/local/bin/../share/nmap/nse_main.lua:205>
	(...tail calls...)
	/usr/local/bin/../share/nmap/scripts/smb-ls.nse:134: in upvalue 'list_files'
	/usr/local/bin/../share/nmap/scripts/smb-ls.nse:205: in function </usr/local/bin/../share/nmap/scripts/smb-ls.nse:170>
	(...tail calls...)

nmap: nse_nsock.cc:369: void callback(nsock_pool, nsock_event, void*): Assertion `lua_status(L) == LUA_YIELD' failed.
Aborted

I was running the smb-ls script (as well as other SMB scripts) against a Samba share.

@nnposter
Copy link

Here is a quick assessment of the issue:

  1. Script smb-ls establishes SMB state via smb.start_ex()
  2. It then retrieves directory entries by looping on an iterator obtained from smb.find_files()
  3. This iterator is implemented as a coroutine that yields on each directory entry obtained through SMB FindFirst/FindNext
  4. The problem appears to be that the SMB state is established in the main thread of the script but then used inside the thread of the iterator.

@nnposter nnposter self-assigned this Dec 16, 2019
@nnposter
Copy link

I have put together a rather substantial refactoring of the code but it is still being tested. Stay tuned.

@nnposter
Copy link

The fix has been committed as r37785. You can just replace nselib/smb.lua and (optionally) scripts/smb-ls.nse from the SVN.

Thank you for reporting the issue and providing the stack trace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants