Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tighten Nmap Data File Replacement Rules and Security Permissions #2051

fyodor opened this issue May 21, 2020 · 1 comment

Tighten Nmap Data File Replacement Rules and Security Permissions #2051

fyodor opened this issue May 21, 2020 · 1 comment


Copy link

@fyodor fyodor commented May 21, 2020

We received a report from a company using Nmap that was concerned about reducing that risk that an attacker could replace Nmap's data files, since that could potentially allow code execution. The data file replacement behavior is all documented at, but we think this could be tightened up without substantially reducing usability. So our current plans are:

  1. Remove C:\Nmap from the Windows search path. Even though it is documented, I doubt many people use it. And it does introduce security concerns since Windows (at least sometimes) ships with insecure C: root filesystem permissions, probably for legacy app compatibility reasons. On Linux/UNIX/Mac platforms, all of the data directories are places that should only be writable by privileged users (or the user running Nmap themselves).

  2. Remove the "updates" directory searches since those relate to a feature that we never really introduced.

  3. We will make sure the current working directly isn't searched when specifying NSE scripts by category (though keep it for running scripts). Also, there is a feature where you can specify a directory and have all NSE scripts in that directory automatically run. We are thinking about requiring a forward slash at the end of the directory name for that feature so that it doesn't happen accidentally.

nmap-bot pushed a commit that referenced this issue Aug 27, 2020
This feature was never publicly released, and has not been distributed
in our binary builds for a couple versions now. It needed to be removed
in order to reduce the number of places Nmap looks for data files. See #2051
Copy link

@dmiller-nmap dmiller-nmap commented Aug 28, 2020

Changes incoming. Status on the above items:

  1. Windows will no longer search NMAPDATADIR, which was hard-coded as c:\nmap previously.
  2. nmap-update has been entirely removed, including the additional search paths for fetching data files and scripts.
  3. If a user runs nmap --script name-of-directory, it will result in an error if the directory exists. The error message is directory 'name-of-directory' found, but will not match without '/'. If the directory does not exist, the error is 'name-of-directory' did not match a category, filename, or directory. To get the old behavior, it must be specified as nmap --script name-of-directory/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.