Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: non existent script called with --script=all
From: Fyodor <fyodor () insecure org>
Date: Fri, 24 Apr 2009 16:12:50 -0700

On Thu, Apr 23, 2009 at 05:38:15PM -0400, Michael Pattrick wrote:
Would it be worth while to have Nmap generate the script.db file on
the fly if it isn't present on the system, and then simply not
distribute it from SVN? After all, its generation isn't
computationally intensive.

It is an interesting idea, but I can see some down sides.  For
example, whenever you do an svn update and get new scripts, you'd need
to run --script-updatedb before you would see the new scripts.  Also,
Nmap is oftwn run by unprivileged users who can't write to the Nmap
system-wide scripts directory.  So we'd probably need to generate the
file at install time.  And that seems more complicated and error-prone
than our current system.

I do think we should make it easier to see changes to the file
(e.g. in svn diff) so we can catch these problems more easily.  I
think there were three factors which contributed to us not catching
this smb-check-vulns-2.nse entry:

1) It was a rushed release, and the Conficker changes were checked in
right before the release happened.  This was because Symantec didn't
want the script released publicly until Tuesday.  I guess they didn't
want to tip off the Conficker authors to the new detection technique.
Unfortunately, rushed releases are always a recipe for trouble.

2) (minor) The whitespace in scripts/script.db changed between the
version in SVN and the version Ron built.  I'm not sure why that was
(maybe the Lua core rewrite), but it lead to cheanges in almost every
line of script.db showing in the diff.  So the bogus smb-check-vulns-2
didn't send out.

3) (minor) There may have been sorting problems with script.db as
well.  Last year, David changed nse_init.cc to sort scripts.db by
filenames.  But that functionality may have been lost (along with
nse_init.cc as a whole) with the new Lua rewrite of the NSE core.
David restored it today with a change to nse_main.cc.

Hopefully now we will only see important changes in the diff for
script.db commits.  And as long as pay attention to those changes and
make sure they are reasonable, I hope we can prevent this sort of
problem in the future.

I don't think this is so serious that we need to do a new release
right now (--script=all is probably somewhat rarely used), but we
should probably do a new release within a week.


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]