Re: Possible Buffer Overflow nmap

[Daniel Miller <bonsaiviking () gmail com>]

Pablo,

Thanks for the bug report! You have given some good detail, but it's still
not clear exactly what's happening. We did push a change today that  may
have been related: When a socket operation in NSE encountered an OS-level
error that caused an immediate error, our accounting of live Nsock events
was thrown off. Some of those events stuck around until NSE was shut down
at the end of the scan, and when freeing them, the data structures they
were associated had already been freed once, leading to double-frees and
invalid reads (segmentation fault).

The best thing I can ask is if you can test with the latest development
version from SVN or Github, which you would have to compile yourself. If
the problem goes away, then we have independently discovered the same bug!
If not, please follow the debug steps following:

Try to determine which scan phase is causing the error. The -A option adds
a lot of complexity. Instead, run each of these commands in order until one
crashes:

1. nmap -d -sL 192.168.1.1
2. nmap -d -sn 192.168.1.1
3. nmap -d -sS 192.168.1.1
4. nmap -d -sSV 192.168.1.1
5. nmap -d -sSVC 192.168.1.1
6. nmap -d -sS -O 192.168.1.1
7. nmap -d -sn --traceroute 192.168.1.1

These run the reverse-DNS, host discovery, port scan, service scan, NSE
scan, OS fingerprinting, and traceroute phases, respectively. Our
discovered crash would have happened in step 5, for example.

Provide the output of the first crashing case. If you can re-run it with
-d9 instead of -d, that would be even better.

Thanks for helping Nmap be the best scanner out there!

Dan

On Sun, Jul 17, 2016 at 12:03 AM, Pablo Sacristan del Junco <
pabstersac () gmail com> wrote:

> Go to the command prompt or terminal and do:
> nmap 192.168.1.1 -A -Pn
>
> then quickly turn off wi-fi and wait for a few seconds
>
> it will show:
>
> nmap(24924,0xa3d5f000) malloc: *** error for object 0x7bb61fb0: pointer
> being freed was not allocated
>
> *** set a breakpoint in malloc_error_break to debug
>
> Abort trap: 6
>
> syslog:
> 17/07/16 05:39:46,389 nmap[24505]: nmap(24505,0xa3d5f000) malloc: ***
> error for object 0x7978d7a0: pointer being freed was not allocated
> *** set a breakpoint in malloc_error_break to debug
>
>
> that is in mac and it is dangerous. In other OS's it gives segfault which
> is very dangerous.
>
> Doing the same but turning wifi off later after  can sometimes give
> segfault:
>
> Segmentation fault: 11
>
>
> This can have undefined behavior, but if controlled might lead to rce or
> crash.
>
>
> Can be local or external if there is a server online that does nmap, you
> can make your server open a lot of ports and then make it nmap -A -Pn -more
> options "your server ip address", and then you can attempt to take it
> offline, maybe by DDOS or if you have access to the router and many more
> options.
>
>
> This can lead to crash or undefined other behaviour.
>
> Platform: x86_64-apple-darwin13.4.0
>
> Newest version of nmap
>
> Hope it helps ;)
>
> Sincerely,
>
> Pablo
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/