
Nmap Development mailing list archives
Re: New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 18 Jul 2012 17:56:25 -0500
On 07/18/2012 12:00 PM, New VA Module Alert Service wrote:
== Metasploit modules (5) == r15649http://metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/unix/local/setuid_nmap.rb setuid nmap "exploit"
Setuid Nmap has been a major no-no for years, but this week, Metasploit added a framework for local exploits (mostly geared around privilege escalation, natch), and one of the 3 flagship exploits is an exploit for setuid installs of Nmap, via os.execute() in a NSE script.
There are a few approaches we could take on this issue (I won't say "in response," since the issue has been around long before this addition to Metasploit, and our projects are mutually beneficial, not comptetitors):
1. Do nothing.2. Add a runtime check for EUID != UID and either complain or die. Here's a patch for a warning without terminating execution:
diff --git a/main.cc b/main.cc index 08a1b02..aba32f8 100644 --- a/main.cc +++ b/main.cc @@ -148,6 +148,14 @@ int main(int argc, char *argv[]) { set_program_name(argv[0]); +#ifndef WIN32 + int euid; + euid = geteuid(); + if (euid == 0 && euid != getuid()) {+ error("WARNING! Nmap should never be installed suid-root! This exposes your system to privilege escalation.");+ } +#endif + #ifdef __amigaos__ if(!OpenLibs()) { error("Couldn't open TCP/IP Stack Library(s)!");
3. Remove support for os.execute() from NSE. This likely won't solve all issues, and may lead to a false sense of security.
The floor is open for discussion! Dan _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13 New VA Module Alert Service (Jul 18)
- Re: New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13 Daniel Miller (Jul 18)
- Re: New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13 Aleksandar Nikolic (Jul 18)
- Re: New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13 Daniel Miller (Jul 18)