Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression with afp-showmount on nmap 7.80 #2091

MikeRich88 opened this issue Aug 1, 2020 · 2 comments · Fixed by res0nat0r/nmap#1

Regression with afp-showmount on nmap 7.80 #2091

MikeRich88 opened this issue Aug 1, 2020 · 2 comments · Fixed by res0nat0r/nmap#1


Copy link

MikeRich88 commented Aug 1, 2020

Attached is the log with -d

Works fine on 7.70

Maybe related to all the other unpack issues I am seeing? What changed with unpack in 7.80?

[user@quinn ~]# nmap -d --script=afp-showmount -Pn -p548 -n xx.xx.xx.xx
Starting Nmap 7.80 ( ) at 2020-08-01 11:08 CDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
Initiating SYN Stealth Scan at 11:08
Scanning xx.xx.xx.xx [1 port]
Packet capture filter (device enp0s25): dst host yy.yy.yy.yy and (icmp or icmp6 or ((tcp or udp or sctp) and (src host xx.xx.xx.xx)))
Discovered open port 548/tcp on xx.xx.xx.xx
Completed SYN Stealth Scan at 11:08, 0.09s elapsed (1 total ports)
Overall sending rates: 11.00 packets / s, 484.06 bytes / s.
NSE: Script scanning xx.xx.xx.xx.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 11:08
NSE: Starting afp-showmount against xx.xx.xx.xx:548.
NSE: afp-showmount against xx.xx.xx.xx:548 threw an error!
/usr/bin/../share/nmap/nselib/afp.lua:2041: bad argument #3 to 'unpack' (initial position out of string)
stack traceback:
	[C]: in function 'string.unpack'
	/usr/bin/../share/nmap/nselib/afp.lua:2041: in field 'decode_dir_bitmap'
	/usr/bin/../share/nmap/nselib/afp.lua:1010: in method 'fp_get_file_dir_parms'
	/usr/bin/../share/nmap/nselib/afp.lua:1673: in method 'GetSharePermissions'
	/usr/bin/../share/nmap/scripts/afp-showmount.nse:85: in function </usr/bin/../share/nmap/scripts/afp-showmount.nse:46>
	(...tail calls...)

Completed NSE at 11:08, 1.45s elapsed
Nmap scan report for xx.xx.xx.xx
Host is up, received user-set (0.076s latency).
Scanned at 2020-08-01 11:08:39 CDT for 1s

548/tcp open  afp     syn-ack ttl 51
Final times for host: srtt: 75885 rttvar: 75885  to: 379425

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 1.94 seconds
           Raw packets sent: 1 (44B) | Rcvd: 1 (44B)
@MikeRich88 MikeRich88 added the Nmap label Aug 1, 2020
@nnposter nnposter added NSE bug and removed Nmap labels Aug 1, 2020
Copy link

nnposter commented Aug 2, 2020

Here is a quick assessment:

Works fine on 7.70

The underlying AFP packet parser in earlier versions is just as broken but the bug is masked in this particular case. See below.

Maybe related to all the other unpack issues I am seeing? What changed with unpack in 7.80?

There was a large code conversion from library bin, which provided pack and unpack, to native string.pack and string.unpack in Lua 5.3. Many of the issues are related to the fact that the bin implementation was tolerating unpacking from out of bounds positions. Strings just got truncated, other values returned as nil, etc.

A partial patch for your issue is here. Please give it a try and report back. If it does not work for you then please run nmap with -ddd and provide the output, together with a pcap.

P.S. At the moment it is safe to refresh the content of folders nselib and scripts from SVN or GitHub. There is a chance that some of the other unpack issues have been already resolved there.

@nnposter nnposter self-assigned this Aug 2, 2020
Copy link

nnposter commented Aug 3, 2020

A fix has been committed as r37971. Please re-open the issue if the problem persists.

res0nat0r added a commit to res0nat0r/nmap that referenced this issue Oct 7, 2020
* Implement Ncat proxy creds via environment variable. Fixes nmap#2060, closes nmap#2073

* Fix --resume from IPv6 scans

* Use correct default buffer position. Closes nmap#2084

* Clarify upper boundary for variable-length numerical fields

* Make maximize_fdlimit return rlim_t on appropriate platforms. Closes nmap#2085. Fixes nmap#2079

* Credential object is creds.Account, not brute.Account. See nmap#2086

* Clarify location of the Error object

* Use correct default buffer position. Closes nmap#2086

* Minor optimization of url.parse_query()

* Output of matched fingerprints in http-default-accounts. Fixes nmap#2077

* Document that --open implies --defeat-rst-ratelimit since 7.40

* SNMP scripts are enabled on non-standard ports. See nmap#1473

* Increases SQL Server version resolution

* Eliminate reflection false positives in http-shellshock. Closes nmap#2089

* Unify AFP pathname serialization

* Correct AFP name extraction from responses. Closes nmap#2091
FPGetFileDirParms and FPEnumerateExt2 could crash due to unpacking from
out-of-bounds positions. This latent issue got exposed by converting from
bin.unpack to more stringent string.unpack

* Clarified parsing of the volume list in AFP FPGetSrvrParms

* Add cross references between the 2 whois scripts

* Streamline Boolean expressions

* Centralize AFP timestamp conversion to string

* Fix a word-wrapping issue

* Prevent SSH2 KEX confusion. Fixes nmap#2105

* Add ssh2.fetch_host_key() support for group 16

* Handle case of corrupted TCP options with length 0. Fixes nmap#2104

* Add iDRAC9 fingerprint to http-default-accounts. Closes nmap#2096

* fix license url: http -> https

* Implementation of TLS SNI override in Ncat
Closes nmap#2087, closes nmap#1928, fixes nmap#1927, fixes nmap#1974

* Fix off-by-one issue in last change. Fixes nmap#2107

* Be more strict with TCP options parsing, avoid reading off the end of TCP options. See nmap#2107

* Remove nmap-update

This feature was never publicly released, and has not been distributed
in our binary builds for a couple versions now. It needed to be removed
in order to reduce the number of places Nmap looks for data files. See nmap#2051

* If fetchfile didn't find the XSL, use a relative path on all platforms.

* Do not search NMAPDATADIR on Windows as it is not defined. See nmap#2051

* Remove an unused variable

* Require trailing '/' to match a directory name with --script. See nmap#2051

* Stop using Shellshock in header name. Fixes nmap#1983

* Fix line wrapping

* Speed improvement for script afp-ls. Closes nmap#2098

* New option --discovery-ignore-rst. Closes nmap#1616

* Nbase is needed for __attribute__ on Windows

* include string_pool in Windows build

* Use larger buffer size for socket errors (WSAETIMEDOUT was longer).

* Allow multiple UDP payloads per port. Closes nmap#1859 (payloads to be committed later)

* New UDP payloads. Closes nmap#1860

* Use ASCII chars for some payload data where it makes sense

* Pass error along instead of printing (link error)

* OpenSSL 1.1.X renamed libs: libeay32->libcrypto ssleay32->libssl

* More OpenSSL DLL name changes

* One last libeay32->libcrypto name change

* Fix loopback detection on Windows with new Npcap

* Add some popular favicon hashes

* Update nmap-mac-prefixes

* Update nmap-services from IANA

* Handle too-short response in s7-info. See nmap#2117

* Remove a todo item that is done (--resolve-all)

* Update dated 'class' network terms to CIDR. Closes nmap#2054

* Call superclass's init method from derived class

* Use signed value for tcp header offset and option lengths to detect underflow

* Correctly check for unsigned subtraction underflow.

* Add some missing changelog entries

* Tell LGTM to use the correct version of Python (2)

* Process new Linux and OpenBSD fingerprints

* Only get SSL options if we use them, currently for NO_SSLv2

* Process a few service fingerprint submissions

* Add a requested feature

* Try to make sure enough data is present before parsing. See nmap#2117

* Replace hyphens in the client SSH banner
Hyphen is not allowed in the software version string (RFC 4253, section 4.2)

* Update the SSH protocol flow. Closes nmap#1460
Allows the server to start the key exchange before the protocol version
exchange (banner exchange) is completed

* Silence static analysis warning

LGTM points out that since comparison with sizeof(buf) coerces n to
unsigned, all negative values become very large values, which are
necessarily larger than sizeof(buf), so the test is redundant. We still
want the test in our code to be explicit that we are checking for it, so
reordering the comparisons should silence the warning. A good optimizing
compiler should be able to combine the two conditions anyway.

See github/codeql#4249

* Be explicit about truncating division (timeout is in whole milliseconds)

* Improve docs on -Pn and host discovery

"Host discovery" is the preferred term over "ping scan" because of
confusion with ICMP Echo Request, a.k.a. "ping" as used by the "ping"
utility. Warn when users use -Pn because it has negative impact on scan
times since ultrascan timing parameters fall back to slow initial

* Fix a config issue with LGTM (libverbs not linked in libpcap)

* Update IPv6 classifier based on new submissions through 2020-09-14

* Fix a meaningless error message when parsing IPv6 extension headers.

* Allow %F date format to mean YYYY-mm-dd like GNU date

* Remove duplicate test conditionals already tested in enclosing block

* Properly handle pcap reads in iocp engine. Fixes nmap#2126

Still has an odd code smell, but this fixes my test case with Nping.

* Add missing prototype

* Make IOCP the default Nsock engine on Windows. See nmap#2126

* Update macosx build to OpenSSL 1.1.1h, use jhbuild for all build steps

* Default rule base for script mysql-audit. See nmap#2125

* Avoid masked use of date before 1/1/1970 UTC. Fixes nmap#2136, closes nmap#2137

* Fix a CHANGELOG typo

* Reintegrate Nmap 7.90 release branch

* Bump version and regen docs for 7.90SVN post-release

* Only warn about protocol specs in port list with -p. Fixes nmap#2135

* Handle a weird IOCP error for UDP sockets. Fixes nmap#2140

Co-authored-by: nnposter <nnposter@e0a8ed71-7df4-0310-8962-fdc924857419>
Co-authored-by: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
@nmap nmap deleted a comment Apr 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

Successfully merging a pull request may close this issue.

2 participants