PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Avoid TOCTOU by checking discovery state in mssql.Discover

Browse Source 
A script might check WasDiscoveryPerformed and get a negative response,
then call Discover, during which time another script already called
Discover. Instead, check the condition *after* acquiring the mutex.
This commit is contained in:
dmiller
2021-12-15 23:44:41 +00:00
parent 0b7dc80349
commit 02c0354744
3 changed files with 12 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
nselib/mssql.lua
View File

@@ -2731,12 +2731,16 @@ Helper =
-- --
-- @param host Host table as received by the script action function -- @param host Host table as received by the script action function
Discover = function( host ) Discover = function( host )
nmap.registry.mssql = nmap.registry.mssql or {}
nmap.registry.mssql.discovery_performed = nmap.registry.mssql.discovery_performed or {}
nmap.registry.mssql.discovery_performed[ host.ip ] = false
local mutex = nmap.mutex( "discovery_performed for " .. host.ip ) local mutex = nmap.mutex( "discovery_performed for " .. host.ip )
mutex( "lock" ) mutex( "lock" )
nmap.registry.mssql = nmap.registry.mssql or {}
nmap.registry.mssql.discovery_performed = nmap.registry.mssql.discovery_performed or {}
if nmap.registry.mssql.discovery_performed[ host.ip ] then
mutex "done"
return
end
nmap.registry.mssql.discovery_performed[ host.ip ] = false
local sqlDefaultPort = nmap.get_port_state( host, {number = 1433, protocol = "tcp"} ) or {number = 1433, protocol = "tcp"} local sqlDefaultPort = nmap.get_port_state( host, {number = 1433, protocol = "tcp"} ) or {number = 1433, protocol = "tcp"}
local sqlBrowserPort = nmap.get_port_state( host, {number = 1434, protocol = "udp"} ) or {number = 1434, protocol = "udp"} local sqlBrowserPort = nmap.get_port_state( host, {number = 1434, protocol = "udp"} ) or {number = 1434, protocol = "udp"}
@@ -3150,10 +3154,8 @@ Helper =
return false, "No instance(s) specified." return false, "No instance(s) specified."
end end
if ( not Helper.WasDiscoveryPerformed( host ) ) then -- Perform discovery. This won't do anything if it's already been done.
stdnse.debug2("%s: Discovery has not been performed prior to GetTargetInstances() call. Performing discovery now.", "MSSQL" )
Helper.Discover( host ) Helper.Discover( host )
end
local instanceList = Helper.GetDiscoveredInstances( host ) local instanceList = Helper.GetDiscoveredInstances( host )
if ( not instanceList ) then if ( not instanceList ) then

2
scripts/ms-sql-dac.nse
View File

@@ -76,9 +76,7 @@ action = function( host )
local status, instanceList = mssql.Helper.GetTargetInstances( host ) local status, instanceList = mssql.Helper.GetTargetInstances( host )
-- if no instances were targeted, then display info on all -- if no instances were targeted, then display info on all
if ( not status ) then if ( not status ) then
if ( not mssql.Helper.WasDiscoveryPerformed( host ) ) then
mssql.Helper.Discover( host ) mssql.Helper.Discover( host )
end
instanceList = mssql.Helper.GetDiscoveredInstances( host ) instanceList = mssql.Helper.GetDiscoveredInstances( host )
end end

2
scripts/ms-sql-info.nse
View File

@@ -254,9 +254,7 @@ action = function( host )
local status, instanceList = mssql.Helper.GetTargetInstances( host ) local status, instanceList = mssql.Helper.GetTargetInstances( host )
-- if no instances were targeted, then display info on all -- if no instances were targeted, then display info on all
if ( not status ) then if ( not status ) then
if ( not mssql.Helper.WasDiscoveryPerformed( host ) ) then
mssql.Helper.Discover( host ) mssql.Helper.Discover( host )
end
instanceList = mssql.Helper.GetDiscoveredInstances( host ) instanceList = mssql.Helper.GetDiscoveredInstances( host )
end end