Home page logo
/

nmap-dev logo Nmap Development mailing list archives

http.lua not handling malformed HTTP response gracefully
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 2 Jul 2009 20:41:17 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all, I ran into a machine on campus (Cannon Printer) that causes
NSE to hang forever in a busy-loop.  Since the script never yields even
host timeout doesn't help.

Thanks to David's sharp eye and troubleshooting genius, I have attached
a simple test case.

You can make a listener with:

sudo ncat -l 80 --sh-exec "cat bad-http.txt"

And you can scan it with:

nmap --script=html-title -p 80 -d2 localhost

With high debugging on, you should see something like:

...
NSOCK (0.1030s) Read request from IOD #1 [x.y.179.88:80] (timeout: 7000ms) EID 34
NSOCK (0.1030s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.1030s) Callback: READ EOF for EID 34 [x.y.179.88:80]
NSE: TCP x.y.1.115:38187 > x.y.179.88:80 | CLOSE
<hang forever at 100% CPU here>

David points out that the likely culprit is that the HTTP response
includes "Transfer-Encoding: chunked" but the response is not actually
chunked.

All the scripts that make use of http.lua will die when this happens.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEUEARECAAYFAkpNG3MACgkQqaGPzAsl94LIHQCgtIwnNbdvGjflv/yj6TDeKX7f
+00Al1AlW0Kkmmr7z4mY002yFbtppEo=
=9PVA
-----END PGP SIGNATURE-----

Attachment: bad-http.txt
Description:


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault