|
Nmap Development
mailing list archives
http.lua not handling malformed HTTP response gracefully
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 2 Jul 2009 20:41:17 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey all, I ran into a machine on campus (Cannon Printer) that causes
NSE to hang forever in a busy-loop. Since the script never yields even
host timeout doesn't help.
Thanks to David's sharp eye and troubleshooting genius, I have attached
a simple test case.
You can make a listener with:
sudo ncat -l 80 --sh-exec "cat bad-http.txt"
And you can scan it with:
nmap --script=html-title -p 80 -d2 localhost
With high debugging on, you should see something like:
...
NSOCK (0.1030s) Read request from IOD #1 [x.y.179.88:80] (timeout: 7000ms) EID 34
NSOCK (0.1030s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.1030s) Callback: READ EOF for EID 34 [x.y.179.88:80]
NSE: TCP x.y.1.115:38187 > x.y.179.88:80 | CLOSE
<hang forever at 100% CPU here>
David points out that the likely culprit is that the HTTP response
includes "Transfer-Encoding: chunked" but the response is not actually
chunked.
All the scripts that make use of http.lua will die when this happens.
Brandon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
iEUEARECAAYFAkpNG3MACgkQqaGPzAsl94LIHQCgtIwnNbdvGjflv/yj6TDeKX7f
+00Al1AlW0Kkmmr7z4mY002yFbtppEo=
=9PVA
-----END PGP SIGNATURE-----
Attachment:
bad-http.txt
Description:
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
 By Date 
By Thread
Current thread:
- http.lua not handling malformed HTTP response gracefully Brandon Enright (Jul 02)
| 
Intro
