From 1a7a96274a41eb46e23a67e41924db577e7a2e61 Mon Sep 17 00:00:00 2001 From: dmiller Date: Thu, 20 Jul 2023 17:24:16 +0000 Subject: [PATCH] Avoid format-string bugs. Fixes #2634 --- nselib/bittorrent.lua | 2 +- nselib/cassandra.lua | 12 +++---- nselib/dhcp.lua | 8 ++--- nselib/http.lua | 2 +- nselib/ospf.lua | 2 +- nselib/proxy.lua | 6 ++-- nselib/snmp.lua | 2 +- nselib/tn3270.lua | 66 ++++++++++++++++++------------------- scripts/http-form-brute.nse | 8 ++--- 9 files changed, 54 insertions(+), 54 deletions(-) diff --git a/nselib/bittorrent.lua b/nselib/bittorrent.lua index 8fc503332..4cba1e624 100644 --- a/nselib/bittorrent.lua +++ b/nselib/bittorrent.lua @@ -689,7 +689,7 @@ Torrent = stdnse.debug1("Could not get peers from tracker %s, reason: %s",tracker, err) end else -- unknown tracker - stdnse.debug1("Unknown tracker protocol for: "..tracker) + stdnse.debug1("Unknown tracker protocol for: %s", tracker) end --if not status then return false, err end end diff --git a/nselib/cassandra.lua b/nselib/cassandra.lua index 3d559b9ad..4ac3390f8 100644 --- a/nselib/cassandra.lua +++ b/nselib/cassandra.lua @@ -106,7 +106,7 @@ function describe_cluster_name (socket,cnt) local status,resp = sendcmd(socket,cname,cnt) if (not(status)) then - stdnse.debug1("sendcmd"..resp) + stdnse.debug1("sendcmd: %s", resp) return false, "error in communication" end @@ -127,7 +127,7 @@ function describe_version (socket,cnt) local status,resp = sendcmd(socket,cname,cnt) if (not(status)) then - stdnse.debug1("sendcmd"..resp) + stdnse.debug1("sendcmd: %s", resp) return false, "error in communication" end @@ -151,20 +151,20 @@ function login (socket,username,password) local status, err = socket:send(string.pack(">I4", #loginstr)) if ( not(status) ) then - stdnse.debug3("cannot send len "..combo) + stdnse.debug3("cannot send len %s", combo) return false, "Failed to connect to server" end status, err = socket:send(loginstr) if ( not(status) ) then - stdnse.debug3("Sent packet for "..combo) + stdnse.debug3("Sent packet for %s", combo) return false, err end local response status, response = socket:receive_bytes(22) if ( not(status) ) then - stdnse.debug3("Receive packet for "..combo) + stdnse.debug3("Receive packet for %s", combo) return false, err end local size = string.unpack(">I4", response) @@ -175,7 +175,7 @@ function login (socket,username,password) end local magic = string.sub(response,18,22) - stdnse.debug3("packet for "..combo) + stdnse.debug3("packet for %s", combo) stdnse.debug3("packet hex: %s", stdnse.tohex(response) ) stdnse.debug3("size packet hex: %s", stdnse.tohex(size) ) stdnse.debug3("magic packet hex: %s", stdnse.tohex(magic) ) diff --git a/nselib/dhcp.lua b/nselib/dhcp.lua index e1b21d1c3..73b453a1a 100644 --- a/nselib/dhcp.lua +++ b/nselib/dhcp.lua @@ -611,7 +611,7 @@ function make_request(target, request_type, ip_address, mac_address, options, re -- Generate the packet local status, packet = dhcp_build(request_type, ipOps.ip_to_str(ip_address), mac_address, options, request_options, overrides, lease_time, transaction_id) if(not(status)) then - stdnse.debug1("dhcp: Couldn't build packet: " .. packet) + stdnse.debug1("dhcp: Couldn't build packet: %s", packet) return false, "Couldn't build packet: " .. packet end @@ -622,7 +622,7 @@ function make_request(target, request_type, ip_address, mac_address, options, re -- Send the packet and get the response local status, response = dhcp_send(socket, target, packet) if(not(status)) then - stdnse.debug1("dhcp: Couldn't send packet: " .. response) + stdnse.debug1("dhcp: Couldn't send packet: %s", response) return false, "Couldn't send packet: " .. response end @@ -630,14 +630,14 @@ function make_request(target, request_type, ip_address, mac_address, options, re socket:close() if ( not(status) ) then - stdnse.debug1("dhcp: Couldn't receive packet: " .. response) + stdnse.debug1("dhcp: Couldn't receive packet: %s", response) return false, "Couldn't receive packet: " .. response end -- Parse the response local status, parsed = dhcp_parse(response, transaction_id) if(not(status)) then - stdnse.debug1("dhcp: Couldn't parse response: " .. parsed) + stdnse.debug1("dhcp: Couldn't parse response: %s", parsed) return false, "Couldn't parse response: " .. parsed end diff --git a/nselib/http.lua b/nselib/http.lua index 8be3e8d08..a6a3ef371 100644 --- a/nselib/http.lua +++ b/nselib/http.lua @@ -1993,7 +1993,7 @@ function pipeline_go(host, port, all_requests) stdnse.debug1("Warning: empty set of requests passed to http.pipeline_go()") return responses end - stdnse.debug1("HTTP pipeline: Total number of requests: " .. #all_requests) + stdnse.debug1("HTTP pipeline: Total number of requests: %d", #all_requests) -- We'll try a first request with keep-alive, just to check if the server -- supports it and how many requests we can send into one socket diff --git a/nselib/ospf.lua b/nselib/ospf.lua index ceafb1a7a..302079caa 100644 --- a/nselib/ospf.lua +++ b/nselib/ospf.lua @@ -69,7 +69,7 @@ OSPF = { header.auth_data.hash = hash else -- Shouldn't happen - stdnse.debug1("Unknown authentication type " .. header.auth_type) + stdnse.debug1("Unknown authentication type %s", header.auth_type) return nil end header.router_id = ipOps.fromdword(header.router_id) diff --git a/nselib/proxy.lua b/nselib/proxy.lua index 8a0fba8f1..87a15ee31 100644 --- a/nselib/proxy.lua +++ b/nselib/proxy.lua @@ -102,7 +102,7 @@ function test_get(host, port, proxyType, test_url, hostname, pattern) return false, socket end local req = "GET " .. test_url .. " HTTP/1.0\r\nHost: " .. hostname .. "\r\n\r\n" - stdnse.debug1("GET Request: " .. req) + stdnse.debug1("GET Request: %s", req) return test(socket, req, pattern) end @@ -120,7 +120,7 @@ function test_head(host, port, proxyType, test_url, hostname, pattern) return false, socket end local req = "HEAD " .. test_url .. " HTTP/1.0\r\nHost: " .. hostname .. "\r\n\r\n" - stdnse.debug1("HEAD Request: " .. req) + stdnse.debug1("HEAD Request: %s", req) return test(socket, req, pattern) end @@ -136,7 +136,7 @@ function test_connect(host, port, proxyType, hostname) return false, socket end local req = "CONNECT " .. hostname .. ":80 HTTP/1.0\r\n\r\n" - stdnse.debug1("CONNECT Request: " .. req) + stdnse.debug1("CONNECT Request: %s", req) return test(socket, req, false) end diff --git a/nselib/snmp.lua b/nselib/snmp.lua index e7802a174..b732160a5 100644 --- a/nselib/snmp.lua +++ b/nselib/snmp.lua @@ -155,7 +155,7 @@ local function getVersion (version, default) if num_to_version[version] then return version end - stdnse.debug1("Unrecognized SNMP version; proceeding with SNMP" .. num_to_version[default]) + stdnse.debug1("Unrecognized SNMP version; proceeding with SNMP%s", num_to_version[default]) end return default end diff --git a/nselib/tn3270.lua b/nselib/tn3270.lua index 797921d81..d49f4da30 100644 --- a/nselib/tn3270.lua +++ b/nselib/tn3270.lua @@ -342,7 +342,7 @@ Telnet = { -- @param integer buffer address -- @return TN3270 encoded buffer address (12 bit) as string ENCODE_BADDR = function ( self, address ) - stdnse.debug(3, "Encoding Address: " .. address) + stdnse.debug(3, "Encoding Address: %s", address) return string.pack("BB", -- (address >> 8) & 0x3F -- we need the +1 because LUA tables start at 1 (yay!) @@ -461,7 +461,7 @@ Telnet = { local WONT_reply = self.commands.IAC .. self.commands.WONT --nsedebug.print_hex(data) - --stdnse.debug(3,"current state:" .. self.telnet_state) + --stdnse.debug(3,"current state:%s", self.telnet_state) if self.telnet_state == TNS_DATA then if data == self.commands.IAC then @@ -549,7 +549,7 @@ Telnet = { end else self:send_data(WONT_reply..data) - stdnse.debug(3, "[TELNET] Got unsupported Do. Sent Won't Reply: " .. data .. " " .. self.telnet_data) + stdnse.debug(3, "[TELNET] Got unsupported Do. Sent Won't Reply: %s %s", data, self.telnet_data) end self.telnet_state = TNS_DATA elseif self.telnet_state == TNS_DONT then @@ -715,9 +715,9 @@ Telnet = { self.fa_buffer[i] = "\0" self.overwrite_buf[i] = "\0" end - stdnse.debug(3, "[in3270] Empty Buffer Created. Length: " .. #self.buffer) + stdnse.debug(3, "[in3270] Empty Buffer Created. Length: %d", #self.buffer) end - stdnse.debug(3,"[in3270] Current State: "..self.word_state[self.state]) + stdnse.debug(3,"[in3270] Current State: %s", self.word_state[self.state]) end, --- Also known as process_eor @@ -832,7 +832,7 @@ Telnet = { stdnse.debug(3,"TN3270 Command: No OP (NOP)") return self.NO_OUTPUT else - stdnse.debug(3,"Unknown 3270 Data Stream command: 0x"..stdnse.tohex(com)) + stdnse.debug(3,"Unknown 3270 Data Stream command: 0x%s", stdnse.tohex(com)) return self.BAD_COMMAND end @@ -864,8 +864,8 @@ Telnet = { i = 3 -- skip the SF and the WCC. while i <= #data do cp = data:sub(i,i) - stdnse.debug(4,"Current Position: ".. i .. " of " .. #data) - stdnse.debug(4,"Current Item: ".. stdnse.tohex(cp)) + stdnse.debug(4,"Current Position: %d of %d", i, #data) + stdnse.debug(4,"Current Item: %s", stdnse.tohex(cp)) -- yay! lua has no switch statement if cp == self.orders.SF then stdnse.debug(4,"Start Field") @@ -873,8 +873,8 @@ Telnet = { last_cmd = true i = i + 1 -- skip SF - stdnse.debug(4,"Writting Zero to buffer at address: " .. self.buffer_address) - stdnse.debug(4,"Attribute Type: 0x".. stdnse.tohex(data:sub(i,i))) + stdnse.debug(4,"Writing Zero to buffer at address: %s", self.buffer_address) + stdnse.debug(4,"Attribute Type: 0x%s", stdnse.tohex(data:sub(i,i))) self:write_field_attribute(data:sub(i,i)) self:write_char("\00") self.buffer_address = self:INC_BUF_ADDR(self.buffer_address) @@ -885,12 +885,12 @@ Telnet = { stdnse.debug(4,"Start Field Extended") i = i + 1 -- skip SFE num_attr = data:byte(i) - stdnse.debug(4,"Number of Attributes: ".. num_attr) + stdnse.debug(4,"Number of Attributes: %d", num_attr) for j = 1,num_attr do i = i + 1 if data:byte(i) == 0xc0 then - stdnse.debug(4,"Writting Zero to buffer at address: " .. self.buffer_address) - stdnse.debug(4,"Attribute Type: 0x".. stdnse.tohex(data:sub(i,i))) + stdnse.debug(4,"Writing Zero to buffer at address: %s", self.buffer_address) + stdnse.debug(4,"Attribute Type: 0x%s", stdnse.tohex(data:sub(i,i))) self:write_char("\00") self:write_field_attribute(data:sub(i,i)) end @@ -902,20 +902,20 @@ Telnet = { elseif cp == self.orders.SBA then stdnse.debug(4,"Set Buffer Address (SBA) 0x11") self.buffer_address = self.DECODE_BADDR(data:byte(i+1), data:byte(i+2)) - stdnse.debug(4,"Buffer Address: " .. self.buffer_address) - stdnse.debug(4,"Row: " .. self:BA_TO_ROW(self.buffer_address)) - stdnse.debug(4,"Col: " .. self:BA_TO_COL(self.buffer_address)) + stdnse.debug(4,"Buffer Address: %s", self.buffer_address) + stdnse.debug(4,"Row: %s", self:BA_TO_ROW(self.buffer_address)) + stdnse.debug(4,"Col: %s", self:BA_TO_COL(self.buffer_address)) last_cmd = true prev = 'SBA' -- the current position is SBA, the next two bytes are the lengths i = i + 3 - stdnse.debug(4,"Next Command: ".. stdnse.tohex(data:sub(i,i))) + stdnse.debug(4,"Next Command: %s", stdnse.tohex(data:sub(i,i))) elseif cp == self.orders.IC then -- Insert Cursor stdnse.debug(4,"Insert Cursor (IC) 0x13") - stdnse.debug(4,"Current Cursor Address: " .. self.cursor_addr) - stdnse.debug(4,"Buffer Address: " .. self.buffer_address) - stdnse.debug(4,"Row: " .. self:BA_TO_ROW(self.buffer_address)) - stdnse.debug(4,"Col: " .. self:BA_TO_COL(self.buffer_address)) + stdnse.debug(4,"Current Cursor Address: %s", self.cursor_addr) + stdnse.debug(4,"Buffer Address: %s", self.buffer_address) + stdnse.debug(4,"Row: %s", self:BA_TO_ROW(self.buffer_address)) + stdnse.debug(4,"Col: %s", self:BA_TO_COL(self.buffer_address)) prev = 'ORDER' self.cursor_addr = self.buffer_address last_cmd = true @@ -925,15 +925,15 @@ Telnet = { -- There's all kinds of weird GE stuff we could do, but not now. Maybe in future vers stdnse.debug(4,"Repeat to Address (RA) 0x3C") local ra_baddr = self.DECODE_BADDR(data:byte(i+1), data:byte(i+2)) - stdnse.debug(4,"Repeat Character: " .. stdnse.tohex(data:sub(i+1,i+2))) + stdnse.debug(4,"Repeat Character: %s", stdnse.tohex(data:sub(i+1,i+2))) - stdnse.debug(4,"Repeat to this Address: " .. ra_baddr) - stdnse.debug(4,"Currrent Address: " .. self.buffer_address) + stdnse.debug(4,"Repeat to this Address: %s", ra_baddr) + stdnse.debug(4,"Current Address: %s", self.buffer_address) prev = 'ORDER' --char_code = data:sub(i+3,i+3) i = i + 3 local char_to_repeat = data:sub(i,i) - stdnse.debug(4,"Repeat Character: " .. stdnse.tohex(char_to_repeat)) + stdnse.debug(4,"Repeat Character: %s", stdnse.tohex(char_to_repeat)) while (self.buffer_address ~= ra_baddr) do self:write_char(char_to_repeat) self.buffer_address = self:INC_BUF_ADDR(self.buffer_address) @@ -942,13 +942,13 @@ Telnet = { stdnse.debug(4,"Erase Unprotected All (EAU) 0x12") local eua_baddr = self.DECODE_BADDR(data:byte(i+1), data:byte(i+2)) i = i + 3 - stdnse.debug(4,"EAU to this Address: " .. eua_baddr) - stdnse.debug(4,"Currrent Address: " .. self.buffer_address) + stdnse.debug(4,"EAU to this Address: %s", eua_baddr) + stdnse.debug(4,"Current Address: %s", self.buffer_address) while (self.buffer_address ~= eua_baddr) do -- do nothing for now. this feature isn't supported/required at the moment self.buffer_address = self:INC_BUF_ADDR(self.buffer_address) - --stdnse.debug(3,"Currrent Address: " .. self.buffer_address) - --stdnse.debug(3,"EAU to this Address: " .. eua_baddr) + --stdnse.debug(3,"Current Address: %s", self.buffer_address) + --stdnse.debug(3,"EAU to this Address: %s", eua_baddr) end elseif cp == self.orders.GE then stdnse.debug(4,"Graphical Escape (GE) 0x08") @@ -994,9 +994,9 @@ Telnet = { else -- whoa we made it. local ascii_char = drda.StringUtil.toASCII(cp) stdnse.debug(4,"Inserting 0x"..stdnse.tohex(cp).." (".. ascii_char ..") at the following location:") - stdnse.debug(4,"Row: " .. self:BA_TO_ROW(self.buffer_address)) - stdnse.debug(4,"Col: " .. self:BA_TO_COL(self.buffer_address)) - stdnse.debug(4,"Buffer Address: " .. self.buffer_address) + stdnse.debug(4,"Row: %s", self:BA_TO_ROW(self.buffer_address)) + stdnse.debug(4,"Col: %s", self:BA_TO_COL(self.buffer_address)) + stdnse.debug(4,"Buffer Address: %s", self.buffer_address) self:write_char(data:sub(i,i)) self.buffer_address = self:INC_BUF_ADDR(self.buffer_address) self.first_screen = true @@ -1025,7 +1025,7 @@ Telnet = { stdnse.debug(3,"Generating Read Buffer") self.output_buffer[output_addr] = string.pack("B",self.aid) output_addr = output_addr + 1 - stdnse.debug(3,"Output Address: ".. output_addr) + stdnse.debug(3,"Output Address: %s", output_addr) self.output_buffer[output_addr] = self:ENCODE_BADDR(self.cursor_addr) return self:send_tn3270(self.output_buffer) diff --git a/scripts/http-form-brute.nse b/scripts/http-form-brute.nse index 43645a1e3..96822814d 100644 --- a/scripts/http-form-brute.nse +++ b/scripts/http-form-brute.nse @@ -514,21 +514,21 @@ action = function (host, port) if not path_ok(path, hostname, port) then return stdnse.format_output(false, string.format("Unusable form action %q", path)) end - stdnse.debug(form_debug, "Form submission path: " .. path) + stdnse.debug(form_debug, "Form submission path: %s", path) -- HTTP method POST is the default method = string.upper(method or "POST") if not (method == "GET" or method == "POST") then return stdnse.format_output(false, string.format("Invalid HTTP method %q", method)) end - stdnse.debug(form_debug, "HTTP method: " .. method) + stdnse.debug(form_debug, "HTTP method: %s", method) -- passvar must be specified or detected, uservar is optional if not passvar then return stdnse.format_output(false, "No passvar was specified or detected (see http-form-brute.passvar)") end - stdnse.debug(form_debug, "Username field: " .. (uservar or "(not set)")) - stdnse.debug(form_debug, "Password field: " .. passvar) + stdnse.debug(form_debug, "Username field: %s", uservar or "(not set)") + stdnse.debug(form_debug, "Password field: %s", passvar) if onsuccess and onfailure then return stdnse.format_output(false, "Either the onsuccess or onfailure argument should be passed, not both.")