Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Unbounded memory use in drda-info
From: Sebastian Dragomir <velorien () gmail com>
Date: Mon, 9 May 2011 06:05:25 +0300

I found that the problem originates in drda.lua, lines 271-275.
Script gets stuck in this loop forever because "data" is less than 4
characters so "pos" will always be -1 due to line 323.
This is because recv does not read all the needed bytes on line 255 due to
the EOF.

receive_bytes does not seem to guarantee it will return a minimum n bytes
even though the wording in its documentation might suggest so.
It sets NSE_STATUS_SUCCESS even when not all bytes have been received in
nsock/src/nsock_core.c line 736, which may or may not be intended for
receive_bytes.

Here is a patch for drda.lua.



Thanks,
Sebastian

On Sun, May 8, 2011 at 10:22 PM, Fyodor <fyodor () insecure org> wrote:

On Wed, May 04, 2011 at 05:13:20PM -0700, David Fifield wrote:
drda-info uses up all my memory when I run this command:

      nmap --script=drda-info localhost -p 50000 -d2

against this server:

      ncat -lk -v 50000 --sh-exec "echo foo"

Good catch, I can reproduce it.  My Nmap process grew to more than a
gigabyte in seconds (then I quit with ^C).  At least drda-info is not
in default category.  I'll add this to Nmap TODO now.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Attachment: drda.lua.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]