Vulnerability Development: Re: Remote exploitation of network scanners?

[Fyodor <fyodor () INSECURE ORG>]

On Fri, 25 Aug 2000, Adam Prato wrote:

> I believe both the l0pht, nmap, and bass that was supposedly
> built to do some massive whole-internet-biopsy type of scan for vulnerabilities
> have all had some sort of remote attack.
No.  Nobody has ever demonstrated a remote exploit against Nmap.  And
local attacks aren't an issue because Nmap should never be run with
privileges (eg suid root).  Sure, a malicious target could slow Nmap down
a bit by trickling responses back slowly, but I don't think you'll be able
to cause Nmap to do something nasty like execute arbitrary code or clobber
files.

But don't get too complacent.  I ship the source code with Nmap for a
reason -- so that paranoid (smart!) users can determine what it does and
even do a security audit if desired.  You can grab the latest source from
http://www.insecure.org/nmap/ .  If you do manage to find anything, let me
know.  I'll write and advisory & give you prominent credit or (your
choice) I'll just give you a URL for the patch so you can write and issue
your own advisory.


Cheers,
Fyodor

--
Fyodor                            'finger pgp () pgp insecure org | pgp -fka'
Frustrated by firewalls?          Try nmap: http://www.insecure.org/nmap/
"The percentage of users running Windows NT Workstation 4.0 whose PCs
 stopped working more than once a month was less than half that of Windows
 95 users."-- microsoft.com/ntworkstation/overview/Reliability/Highest.asp