Nmap Developmentmailing list archives
Re: nmap crash (ssh-publickey-acceptance)
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 3 Nov 2017 22:38:45 -0500
Darren,Good news and bad news. The good: I found why publickey checking wasn'tworking; the helper function wasn't written to return the result of thelibssh2 call, so the result was always 'nil', which is false. So that'scleared up in r37074, with a couple other fixes in subsequent revisions.The bad: the results you provided don't really narrow down the problem to areasonable search space. I have some ideas for doing so, though.1. Try the crashing command, but with -n to disable reverse-DNS, which alsouses Nsock.2. Try the crashing command, but instead of -sV do --script"version,ssh-publickey-acceptance"3. Try the crashing command, but add script-intensity=0 to your--script-args options.Let me know which of these crashes and which does not.DanOn Fri, Nov 3, 2017 at 3:58 AM, Darren Martyn <darren () 0x27 me> wrote:
1. Output of nmap --versionNmap version 7.60SVN (https://nmap.org )Platform: x86_64-unknown-linux-gnuCompiled with: nmap-liblua-5.3.3 openssl-1.0.2k nmap-libssh2-1.8.0libz-1.2.8 libpcre-8.39 libpcap-1.8.1 nmap-libdnet-1.12 ipv6Compiled without:Available nsock engines: epoll poll selectSVN Revision: 370732. If I drop "-sV" the error does not occur. However, the SSH publickeyacceptance script returns "No public keys accepted".3. If I only use "-sV" the error does not occur.4. If I remove the script arguments, the error does not occur - the scripttries with a hardcoded? key (that I didn't spot in the source code of thescript but may have missed something).NSE: [ssh-publickey-acceptance M:55f6c25199f8 178.62.189.79:22] Checkingkey: AAAAB3NzaC1yc2EAAAABIwAAAIEAvIhC5skTzxyHif/7iy3yhxuK6/OB13hjPqrskogkYFrcW8OK4VJT+5+Fx7wd4sQCnVn8rNqahw/x6sfcOMDI/Xvn4yKU4t8TnYf2MpUVr4ndz39L5Ds1n7Si1m2suUNxWbKv58I8+NMhlt2ITraSuTU0NGymWOc8+LNi+MHXdLk= for user rootThis is the first key in "publickeydb" in nselib/data/publickeydbInterestingly, this bug may be related to:http://seclists.org/nmap-dev/2017/q3/162 - I triggered it while trying to replicate this issue.For what its worth, while original reporter was on OSX, I'm using Debian 9.Regards,DarrenOn Fri, Nov 3, 2017 at 3:34 AM, Daniel Miller <bonsaiviking () gmail com>wrote:Thanks for reporting this! It seems to be a double-free occuring duringNSE garbage collection/shutdown, specifically in the nsock_pool_deletefunction. I can't readily see how this could be happening, so can you givea little more info?1. output of nmap --version2. Does the error occur if you do not use -sV?3. Does the error occur if you only use -sV (i.e. not --scriptssh-publickey-acceptance)4. If the previous 2 tests show that ssh-publickey-acceptance is requiredto trigger the bug, does it crash if you do not use the --script-args youprovided?Thanks for your help.DanOn Thu, Nov 2, 2017 at 3:41 PM, Darren Martyn <darren () 0x27 me> wrote:Attached is a log with loads of debug info. Got partially throughredacting hostnames, then stopped bothering because its a publicly routablehost I own anyway._______________________________________________Sent through the dev mailing listhttps://nmap.org/mailman/listinfo/devArchived athttp://seclists.org/nmap-dev/
_______________________________________________Sent through the dev mailing listhttps://nmap.org/mailman/listinfo/devArchived athttp://seclists.org/nmap-dev/
Current thread:
- nmap crash (ssh-publickey-acceptance)Darren Martyn (Nov 02)
- Re: nmap crash (ssh-publickey-acceptance)Daniel Miller (Nov 02)
- Re: nmap crash (ssh-publickey-acceptance)Darren Martyn (Nov 05)
- Re: nmap crash (ssh-publickey-acceptance)Daniel Miller (Nov 03)
- Re: nmap crash (ssh-publickey-acceptance)Darren Martyn (Nov 05)
- Re: nmap crash (ssh-publickey-acceptance)Daniel Miller (Nov 02)