Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[NSE] Bug (short read) in pop3-capabilities.nse
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 11 Jun 2012 11:04:35 -0500

Hey list,

I would have reported this with a patch, but I never quite got the hang of reading from sockets in NSE scripts :(

When scanning one of the alexa top 1m hosts via IPv6, ran across this exception:
NSOCK (0.8110s) TCP connection requested to 2a01:4f8:121:1262::2:110 (IOD #1) EID 8 NSOCK (0.9530s) Callback: CONNECT SUCCESS for EID 8 [2a01:4f8:121:1262::2:110]
NSE: TCP XXXX:42686 > 2a01:4f8:121:1262::2:110 | CONNECT
NSOCK (0.9530s) Read request from IOD #1 [2a01:4f8:121:1262::2:110] (timeout: 10000ms) EID 18 NSOCK (1.0920s) Callback: READ SUCCESS for EID 18 [2a01:4f8:121:1262::2:110] (76 bytes): +OK CommuniGate Pro POP3 Server 5.2.20 ready <14999.1339429588 () aenigma gr>.. NSE: TCP XXXX:42686 < 2a01:4f8:121:1262::2:110 | +OK CommuniGate Pro POP3 Server 5.2.20 ready <14999.1339429588 () aenigma gr>

NSE: TCP XXXX:42686 > 2a01:4f8:121:1262::2:110 | 00000000: 43 41 50 41 0d 0a CAPA

NSOCK (1.0930s) Write request for 6 bytes to IOD #1 EID 27 [2a01:4f8:121:1262::2:110]: CAPA.. NSOCK (1.0930s) Callback: WRITE SUCCESS for EID 27 [2a01:4f8:121:1262::2:110]
NSE: TCP XXXX:42686 > 2a01:4f8:121:1262::2:110 | SEND
NSOCK (1.0940s) Read request from IOD #1 [2a01:4f8:121:1262::2:110] (timeout: 10000ms) EID 34 NSOCK (1.2320s) Callback: READ SUCCESS for EID 34 [2a01:4f8:121:1262::2:110] (29 bytes): +OK capability list follows.. NSE: TCP XXXX:42686 < 2a01:4f8:121:1262::2:110 | 00000000: 2b 4f 4b 20 63 61 70 61 62 69 6c 69 74 79 20 6c +OK capability l
00000010: 69 73 74 20 66 6f 6c 6c 6f 77 73 0d 0a          ist follows

NSE: 'pop3-capabilities' (thread: 0x8ba8468) against 2a01:4f8:121:1262::2:110 threw an error!
./nselib/pop3.lua:173: bad argument #2 to 'sub' (number expected, got nil)
stack traceback:
        [C]: in function 'sub'
        ./nselib/pop3.lua:173: in function 'capabilities'
./scripts/pop3-capabilities.nse:30: in function <./scripts/pop3-capabilities.nse:29>
        (...tail calls...)

I checked manually, and this is the response I get:
ncat -vvv -6 freestuff.gr 110
Ncat: Version 6.01 ( http://nmap.org/ncat )
NSOCK (0.0110s) TCP connection requested to 2a01:4f8:121:1262::2:110 (IOD #1) EID 8 NSOCK (0.1550s) Callback: CONNECT SUCCESS for EID 8 [2a01:4f8:121:1262::2:110]
Ncat: Connected to 2a01:4f8:121:1262::2:110.
NSOCK (0.1560s) Read request from IOD #1 [2a01:4f8:121:1262::2:110] (timeout: -1ms) EID 18 NSOCK (0.1560s) Read request for 0 bytes from IOD #2 (peer unspecified) EID 26 NSOCK (0.2970s) Callback: READ SUCCESS for EID 18 [2a01:4f8:121:1262::2:110] (76 bytes)
+OK CommuniGate Pro POP3 Server 5.2.20 ready <15001.1339430446 () aenigma gr>
NSOCK (0.2970s) Read request for 0 bytes from IOD #1 [2a01:4f8:121:1262::2:110] EID 34
CAPA
NSOCK (5.0260s) Callback READ SUCCESS for EID 26 (peer unspecified) (5 bytes) NSOCK (5.0260s) Write request for 5 bytes to IOD #1 EID 43 [2a01:4f8:121:1262::2:110] NSOCK (5.0260s) Callback: WRITE SUCCESS for EID 43 [2a01:4f8:121:1262::2:110] NSOCK (5.0260s) Read request for 0 bytes from IOD #2 (peer unspecified) EID 50 NSOCK (5.1690s) Callback: READ SUCCESS for EID 34 [2a01:4f8:121:1262::2:110] (29 bytes)
+OK capability list follows
NSOCK (5.1690s) Read request for 0 bytes from IOD #1 [2a01:4f8:121:1262::2:110] EID 58 NSOCK (5.3090s) Callback: READ SUCCESS for EID 58 [2a01:4f8:121:1262::2:110] (129 bytes)
SASL LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI MSN NTLM
STLS
LAST
TOP
USER
PIPELINING
UIDL
IMPLEMENTATION CommuniGatePro
.
NSOCK (5.3090s) Read request for 0 bytes from IOD #1 [2a01:4f8:121:1262::2:110] EID 66
QUIT
NSOCK (8.9930s) Callback READ SUCCESS for EID 50 (peer unspecified) (5 bytes) NSOCK (8.9930s) Write request for 5 bytes to IOD #1 EID 75 [2a01:4f8:121:1262::2:110] NSOCK (8.9940s) Callback: WRITE SUCCESS for EID 75 [2a01:4f8:121:1262::2:110] NSOCK (8.9940s) Read request for 0 bytes from IOD #2 (peer unspecified) EID 82 NSOCK (9.1400s) Callback: READ SUCCESS for EID 66 [2a01:4f8:121:1262::2:110] (51 bytes)
+OK CommuniGate Pro POP3 Server connection closed
NSOCK (9.1400s) Read request for 0 bytes from IOD #1 [2a01:4f8:121:1262::2:110] EID 90
NSOCK (9.1400s) Callback: READ EOF for EID 90 [2a01:4f8:121:1262::2:110]
Ncat: 10 bytes sent, 285 bytes received in 9.15 seconds.
NSOCK (9.1400s) Callback: READ KILL for EID 82 (peer unspecified)

As you can see from the debug output, the response is sent in a separate packet from the "status line", so the pop3 library needs to keep reading until a "." is seen.

Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]