Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSE: Multiple Bugs in ms-sql-* scripts (e.g. ms-sql-info) #2622

Open
secmxx opened this issue Mar 15, 2023 · 12 comments
Open

NSE: Multiple Bugs in ms-sql-* scripts (e.g. ms-sql-info) #2622

secmxx opened this issue Mar 15, 2023 · 12 comments

Comments

@secmxx
Copy link

secmxx commented Mar 15, 2023

Describe the bug
The ms-sql-info NSE script fails to run:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 10:50 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000078s latency).

PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.4188.00; CU14
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.76 seconds

Stack Trace:

NSE: ms-sql-info against 127.0.0.1:1433 threw an error!                                                              
attempt to index a nil value                                                                                         
stack traceback:                                                                                                     
        [C]: in for iterator 'for iterator'                                                                          
        /usr/bin/../share/nmap/nselib/mssql.lua:3334: in function </usr/bin/../share/nmap/nselib/mssql.lua:3327>     
        (...tail calls...)                                                                                           
                                                                                                                     
Completed NSE at 10:51, 0.01s elapsed 

To Reproduce
Run the following nmap scan against a single instance of mssql server (e.g. SQL Server 2019):
sudo nmap -sS -p 1433 --script ms-sql-info -sV 127.0.0.1

Expected behavior
Expecting the full NSE script output for ms-sql-info:

─$ sudo nmap -sS -p 1433 --script ms-sql-info -sV 127.0.0.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 12:21 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00019s latency).

PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2019 15.00.4188.00; CU14
| ms-sql-info: 
|   127.0.0.1:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 CU14
|       number: 15.00.4188.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: CU14
|       Post-SP patches applied: false
|_    TCP port: 1433

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds

Version info (please complete the following information):

  • OS: Linux kali 6.1.0-kali5-amd64
  • Output of nmap --version:
Nmap version 7.93 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.6 openssl-3.0.8 libssh2-1.10.0 libz-1.2.13 libpcre-8.39 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Quick Fix
I have patched my mssql.lua as follows. I can't guarantee that this won't break compatibility with other scripts...

nselib/mssql.lua (diff):

3206,3207c3206,3207                                                                                                   
<       local status, instances = Helper.GetDiscoveredInstances(host, port)                                           
<       if status then                                                                                                                                                                                                                      
---                                                                                                                   
>       local instances = Helper.GetDiscoveredInstances(host, port)                                                   
>       if instances then   

Note: Helper.GetDiscoveredInstances only returns one value, this is the source of the stack trace.

With this fix, the script works but still doesn't create the full output when run against a single SQL instance. It might work if you run against multiple instances but i haven't checked.

The reason is the following segment:

nmap/nselib/mssql.lua

Lines 3337 to 3340 in ad3935b

if #output > 0 then
return outlib.sorted_by_key(output)
end
return nil

#output will always return 0 when scanning a single instance since it is indexed by a string (e.g. ("127.0.0.1:1433", table:0xaaaaaaaa) (s. https://www.lua.org/manual/5.4/manual.html on ipairs vs pairs, # only counts index-value pairs i.e. ipairs)

As a quick fix you can comment out lines 3337, 3339 and 3340.

Additional Issues
For me, only few of the ms-sql-* scripts actually work. This is partly due to the use of the deprecated format_output function e.g. in the following scripts:

  • ms-sql-hasdbaccess.nse
  • ms-sql-query.nse
  • ms-sql-brute.nse
  • ms-sql-config.nse
  • broadcast-ms-sql-discover.nse
  • ms-sql-xp-cmdshell.nse
  • ms-sql-tables.nse

Also, there is a typo in ms-sql-tables.nse ("ouptut" vs "output", s. below)

return stdnse.format_ouptut(true, instanceOutput)

@secmxx secmxx added the Nmap label Mar 15, 2023
@gorbehnare
Copy link

gorbehnare commented Mar 23, 2023

Thanks for this... well, I gave homework to my students, and now they are all screwed :D I'll have them download older versions of nmap for now...
Edit: Only some Windows systems are affected by this. I can only tell from student assignment submissions as the majority of them seem to be able to get results. I tested this on my own systems and Windows 10 Pro in VM is unaffected, but Windows 10 Home in VM is affected by this. I only installed these two VMs to check, so this is not a complete test or even a good sample size for narrowing down the problem. There may be other factors contributing to this than nmap itself.

@daniruiz
Copy link

Hello!
I've also noticed this issue using nmap 7.93. We have pushed a patch to Kali's repository that should fix it. Feel free to test it and open a bug report (bugs.kali.org) if there's anything else to fix.
Here's the commit with the patch https://gitlab.com/kalilinux/packages/nmap/-/commit/984afc842c6e4a0b4f1b4c3fdd2ecaf10e7127c9

From: Sophie Brun <sophie@offensive-security.com>
Date: Tue, 28 Mar 2023 10:29:02 +0200
Subject: Fix mssql scripts

Fix the following issues:
- GetTargetInstances returns only one value.
- #output will always return 0 when scanning a single instance. Add a
  real count of values
- typo in scripts/ms-sql-tables.nse (ouptut != output)

Bug: https://github.com/nmap/nmap/issues/2622
Origin: https://github.com/nmap/nmap/issues/2622
---
 nselib/mssql.lua          | 9 ++++++---
 scripts/ms-sql-tables.nse | 2 +-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/nselib/mssql.lua b/nselib/mssql.lua
index e275e54..cdf287e 100644
--- a/nselib/mssql.lua
+++ b/nselib/mssql.lua
@@ -3203,8 +3203,9 @@ Helper =
     Helper.Discover( host )
 
     if ( port ) then
-      local status, instances = Helper.GetDiscoveredInstances(host, port)
-      if status then
+      local instances = Helper.GetDiscoveredInstances(host, port)
+
+      if instances then
         return true, instances
       else
         return false, "No SQL Server instance detected on this port"
@@ -3331,10 +3332,12 @@ Helper =
         return nil
       end
       local output = {}
+      local count = 0
       for _, instance in ipairs(instances) do
         output[instance:GetName()] = process_instance(instance)
+	count = count + 1
       end
-      if #output > 0 then
+      if count > 0 then
         return outlib.sorted_by_key(output)
       end
       return nil
diff --git a/scripts/ms-sql-tables.nse b/scripts/ms-sql-tables.nse
index caf0a82..45f32c5 100644
--- a/scripts/ms-sql-tables.nse
+++ b/scripts/ms-sql-tables.nse
@@ -245,7 +245,7 @@ local function process_instance( instance )
   instanceOutput["name"] = string.format( "[%s]", instance:GetName() )
   table.insert( instanceOutput, output )
 
-  return stdnse.format_ouptut(true, instanceOutput)
+  return stdnse.format_output(true, instanceOutput)
 
 end
 

We have also uploaded the fixed package (version 7.93+dfsg1-0kali3) to the kali-experimental branch, and should be ready in kali-rolling soon.
http://pkg.kali.org/pkg/nmap

@secmxx
Copy link
Author

secmxx commented Apr 20, 2023

Thanks a lot!

@iasdeoupxe
Copy link

Could be possible that the patch is also fixing #2535, #2388, #2571 and #2572

@Lukas-Ldc
Copy link

Hello,
I tested "ms-sql-info" with 3 versions of NMap:

  • nmap-7.92.tar.bz2 : with no changes, ms-sql-* scripts are working.
  • nmap-7.93.tar.bz2 : ms-sql-* scripts are not working, I changed mssql.lua with the patch from @daniruiz .
  • nmap-7.94.tar.bz2 : ms-sql-* scripts are not working, I changed mssql.lua with the patch from @daniruiz .

When I am using "ms-sql-info" with NMap 7.92, the script gives the list of all the MS-SQL instances from one server.
When I am using "ms-sql-info" with NMap 7.93 (patched) or 7.94 (patched), the script works but gives only one MS-SQL instance per server.
Am I the only one experiencing this?

Also, I don't know if it is linked to this issue, but with the 7.93 (patched) or 7.94 (patched) versions, when using the script "ms-sql-config" (or any other ms-sql-* with credentials), when I try to use mssql.domain (with username and password), I get the following error: "No parser for token type: 0x0".

@ShutdownRepo
Copy link

ShutdownRepo commented Dec 11, 2023

👋 any news on merging/pushing this potential fix?

@redbankdev
Copy link

I'm currently still learning, but I recently ran an nmap script using ms-* scripts, and I still received the error concerning 'NIL'.. I'm assuming this still needs work

@gorbehnare
Copy link

Still not fixed... I'm probably going to have to provide older version of nmap or find some other solution. Unfortunately it seems that this software is not very well maintained for Windows, so nmap/zenmap may or may not work on student systems which is not something that we can tolerate when they are just starting their learning, and cannot yet identify if they actually got the correct output or not.

@iasdeoupxe
Copy link

not very well maintained for Windows

This is not Windows specific and also happens on any other system like a Linux one.

@johnjaylward
Copy link

I also ran into this and did not look for an issue before submitting a PR. However my PR #2784 also addresses this issue.

@Arthurlu0421
Copy link

I also ran into this and did not look for an issue before submitting a PR. However my PR #2784 also addresses this issue.

fixed this bug :attempt to index a nil value
stack traceback:
[C]: in for iterator 'for iterator'

@nnposter
Copy link

nnposter commented Jul 4, 2024

Thanks to @secmxx for this excellent write-up.

All the issues covered by @johnjaylward's PR #2784 have been hopefully rectified in r38948 (a0d24d0), r38945 (3ab8fc2), and r38943 (f4b0922), albeit partially differently.

The issue with misspelled stdnse.format_ouptut() in ms-sql-tables.nse has been rectified in r38949 (92995af).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

10 participants