Home page logo
/

nmap-dev logo Nmap Development mailing list archives

RE: Nmap causes critical error on Novell Netware 6 SP5
From: "Mike C (check)" <check () imjc com>
Date: Sun, 5 Feb 2006 22:16:58 -0000

I think your title is a bit wrong - it should read:

"Nmap exposes critical bug in Novell Netware 6 SP5 TCP/IP stack"

IMHO server s/w that falls over when it's port scanned is a bit of a
liability nowadays :-)

Anybody writing TCP/IP stacks should test there software against a whole
bunch of intrusion tools and techniques.

Mike


-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Axel Pettinger
Sent: 05 February 2006 18:29
To: nmap-dev () insecure org
Subject: Nmap causes critical error on Novell Netware 6 SP5


Hi,

Don't know whether there's something one of you can do to prevent the 
problem in future Nmap versions, nevertheless I'd like to report that 
the following Nmap command (on XPSP1) causes an "abnormal end" (abend) 
on a Novell Netware 6 SP5 server:

nmap -p514 -d9 -A -oN 514_2.txt <server-ip>

->
-----------------------------------------------------------------------
# Nmap 4.00 scan initiated Sun Feb 05 17:58:48 2006 as: nmap -p514 -d9 -A
-oN 514_2.txt <server_ip> 
(...)
Completed OS Detection against <server_ip> at 43.032s (took 2.227s)
Interesting ports on <server name> (server_ip):
PORT    STATE SERVICE VERSION
514/tcp open  shell?
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port514-TCP:V=4.00%I=7%D=2/5%Time=43E62EDB%P=i686-pc-windows-windows%r(
SF:DNSVersionBindReq,1,"\0");
OS details: BlueCoat SG4, Cayman 2E DSL/CABLE router, IBM AIX v3.2.5 - 4,
IBM AIX 4.02.0001.0000, IBM AIX 4.2, IBM AIX 4.2-4.3.3, IBM AIX 4.3, IBM AIX
4.3.2.0-4.3.3.0 on an IBM RS/*, IBM AIX 4.3.3.0 on an IBM RS/*, IBM AIX
v4.2, IBM AIX Version 4.3, Linux 1.3.20 (x86), Microsoft Windows 2003
Server, Microsoft Windows XP Home Edition (English) SP2, Netscreen 5XP
firewall+vpn (os 4.0.3r2.0), OpenBSD 3.6 x86 with pf "scrub in all",
Symantec Gateway Security 5310 Firewall, ZyXel 944S Prestige router
OS Fingerprint:
TSeq(Class=TR%IPID=RPI%TS=U)
T1(Resp=N)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)

TCP Sequence Prediction: Class=truly random
                         Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Random positive increments

# Nmap run completed at Sun Feb 05 17:59:31 2006 -- 1 IP address (1 host up)
scanned in 43.064 seconds
-----------------------------------------------------------------------


The "System Console" shows the message:
"2-05-2006   5:58:39 pm:    SERVER-5.60-4631   [nmID=1001C]
    WARNING! Server (...) experienced a critical error. The offending
    process was suspended or recovered. However, services hosted by this
    server may have been affected."

On the "Logger Screen" the following message appeared several times:
"TLI-4.30-0012:  an asynchronous event has occurred;
     RCMDSRV-4.21:  t_rcv: can't get stderr port"


Extract from the abend log:

*********************************************************

Server (...) halted Sunday, February 5, 2006   5:58:37.580 pm
Abend 1 on P00: Server-5.60.05: Page Fault Processor Exception (Error code
00000000)

Registers:
    CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010
    EAX = 00000000 EBX = 85386E40 ECX = 00000000 EDX = 826669E2
    ESI = 83817060 EDI = 8265ACD0 EBP = 85742960 ESP = 857423E0
    EIP = C8D10FB0 FLAGS = 00010286 
    C8D10FB0 0FB601         MOVZX   EAX,byte ptr [ECX]=?
    EIP in LIBC.NLM at code start +00082FB0h
    Access Location: 0x00000000

The violation occurred while processing the following instruction:
C8D10FB0 0FB601         MOVZX   EAX,byte ptr [ECX]
C8D10FB3 3C41           CMP     AL,41
C8D10FB5 0FB61A         MOVZX   EBX,byte ptr [EDX]
C8D10FB8 7206           JB      C8D10FC0
C8D10FBA 3C5A           CMP     AL,5A
C8D10FBC 7702           JA      C8D10FC0
C8D10FBE 0420           ADD     AL,20
C8D10FC0 80FB41         CMP     BL,41
C8D10FC3 7208           JB      C8D10FCD
C8D10FC5 80FB5A         CMP     BL,5A



Running process: rcmdsrv         6 Process
Thread Owned by NLM: RCMDSRV.NLM
Stack pointer: 85742240
OS Stack limit: 857369C0
Scheduling priority: 67371008
Wait state: 5050100  Delayed
Stack: --85386E40  ?
       (...)
Additional Information:
    The CPU encountered a problem executing code in LIBC.NLM.  The problem
may be in that module or in data passed to that module by a process owned by
RCMDSRV.NLM.

Loaded Modules: 
(...)
*********************************************************
RCMDSRV.NLM   v4.21       Mar.  1, 2002  rcmdsrv nlm
LIBC.NLM      v7.05       Jun. 23, 2004  Standard C Runtime Library for NLMs
[optimized, 5]


Similar abends happened on several Netware production servers when we 
had penetration testers in the house a short time before christmas. We
never knew for sure but it's likely that they were the cause for the 
abends and the tool they used to scan the network was probably Nmap 
...

Regards,
Axel Pettinger


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault