Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

nmap-dev logo Nmap Development mailing list archives

Re: http.lua not handling malformed HTTP response gracefully
From: David Fifield <david () bamsoftware com>
Date: Wed, 8 Jul 2009 21:16:21 -0600
On Thu, Jul 02, 2009 at 08:41:17PM +0000, Brandon Enright wrote:

Hey all, I ran into a machine on campus (Cannon Printer) that causes
NSE to hang forever in a busy-loop.  Since the script never yields even
host timeout doesn't help.

Thanks to David's sharp eye and troubleshooting genius, I have attached
a simple test case.

You can make a listener with:

sudo ncat -l 80 --sh-exec "cat bad-http.txt"

And you can scan it with:

nmap --script=html-title -p 80 -d2 localhost

With high debugging on, you should see something like:

...
NSOCK (0.1030s) Read request from IOD #1 [x.y.179.88:80] (timeout: 7000ms) EID 34
NSOCK (0.1030s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.1030s) Callback: READ EOF for EID 34 [x.y.179.88:80]
NSE: TCP x.y.1.115:38187 > x.y.179.88:80 | CLOSE
<hang forever at 100% CPU here>

David points out that the likely culprit is that the HTTP response
includes "Transfer-Encoding: chunked" but the response is not actually
chunked.


I believe this is fixed in r14121. I added much more robust handling of
the chunked transfer encoding. Unless I made an implementation error, it
supports everything from section 3.6.1 of RFC 2616. It also reports an
error if a body is truncated, where the old code would silently ignore
that.

This bug prevented me from completing any of Patrick's NSE performance
tests, but with it fixed I completed a test for the first time.

I made some test files with different varieties of chunked bodies. I'll
try to attach them. Here's a summary of how the new code differs from
the old in the test cases. The old code is on the left, the new on the
right.

        r14120                  r14121
1. Not chunked; error expected
        hang                    error reported
2. Properly chunked, no chunk-extensions, no LWS
        success                 success
3. Properly chunked, no chunk-extensions, extra space
        success                 success
4. Properly chunked, chunk-extensions without quoted-strings
        hang                    success
5. Properly chunked, chunk-extensions with quoted-strings
        hang                    success
6. chunk-extensions with quoted-strings, \ at end of string, error expected
        hang                    error reported
7. chunk-extensions with quoted-strings, non-ASCII following backslash, error expected
        hang                    error reported
8. chunk-extensions with quoted-strings and control characters, error expected
        hang                    error reported
9. Inaccurate chunk size, error expected
        silent truncation       error reported

David Fifield

Attachment: http-chunked-tests.tar.gz
Description: 


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]