mailing list archives
http.lua not handling malformed HTTP response gracefully
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 2 Jul 2009 20:41:17 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hey all, I ran into a machine on campus (Cannon Printer) that causes
NSE to hang forever in a busy-loop. Since the script never yields even
host timeout doesn't help.
Thanks to David's sharp eye and troubleshooting genius, I have attached
a simple test case.
You can make a listener with:
sudo ncat -l 80 --sh-exec "cat bad-http.txt"
And you can scan it with:
nmap --script=html-title -p 80 -d2 localhost
With high debugging on, you should see something like:
NSOCK (0.1030s) Read request from IOD #1 [x.y.179.88:80] (timeout: 7000ms) EID 34
NSOCK (0.1030s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.1030s) Callback: READ EOF for EID 34 [x.y.179.88:80]
NSE: TCP x.y.1.115:38187 > x.y.179.88:80 | CLOSE
<hang forever at 100% CPU here>
David points out that the likely culprit is that the HTTP response
includes "Transfer-Encoding: chunked" but the response is not actually
All the scripts that make use of http.lua will die when this happens.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
-----END PGP SIGNATURE-----
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org
- http.lua not handling malformed HTTP response gracefully Brandon Enright (Jul 02)