PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-29 10:59:02 +00:00
Code Issues Projects Releases Wiki Activity

Rectify heap corruption due to an uninitialized pointer in the libssh2 wrapper

Browse Source 
Close #2925, close #2917
This commit is contained in:
nnposter
2024-09-07 17:43:12 +00:00
parent 36ba840489
commit 66bbf3dc96
2 changed files with 16 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG
View File

@@ -16,6 +16,12 @@ o [GH#1451] Nmap now performs forward DNS lookups in parallel, using the same
o [NSE][GH#2571, GH#2572, GH#2622, GH#2784] Various bug fixes in the mssql NSE
library [johnjaylward, nnposter]
o [NSE][GH#2925, GH#2917, GH#2924] Testing for acceptance of SSH keys for
a given username caused heap corruption [Julijan Nedic, nnposter]
o [NSE][GH#2919, GH2917] Scripts were not able to load SSH public keys
from a file [nnposter]
o [NSE][GH#2901, GH#2744, GH#2745] Arbitrary separator in stdnse.tohex() is now
supported. Script smb-protocols now reports SMB dialects correctly.
[nnposter]

16
nse_libssh2.cc
View File

@@ -579,12 +579,12 @@ static int l_read_publickey (lua_State *L) {
static int publickey_canauth_cb (LIBSSH2_SESSION *session, unsigned char **sig,
size_t *sig_len, const unsigned char *data, size_t data_len, void **abstract) {
return 0;
// Must return an error, any error, other than LIBSSH2_ERROR_EAGAIN
return LIBSSH2_ERROR_PUBLICKEY_PROTOCOL;
}
static int publickey_canauth (lua_State *L, int status, lua_KContext ctx) {
int rc;
int errlen;
char *errmsg;
const char *username;
unsigned const char *publickey_data;
@@ -608,14 +608,18 @@ static int publickey_canauth (lua_State *L, int status, lua_KContext ctx) {
lua_callk(L, 1, 0, 0, publickey_canauth);
}
libssh2_session_last_error(state->session, &errmsg, &errlen, 0);
libssh2_session_last_error(state->session, &errmsg, NULL, 0);
if (rc == LIBSSH2_ERROR_ALLOC || rc == LIBSSH2_ERROR_PUBLICKEY_UNVERIFIED)
lua_pushboolean(L, 1); //Username/PublicKey combination invalid
if (rc == LIBSSH2_ERROR_PUBLICKEY_UNVERIFIED && !strncmp("Callback", errmsg, 8))
// The username/publickey combination has been accepted because
// the authentication flow progressed all the way to our dummy
// callback where the private key is needed
lua_pushboolean(L, 1);
else if (rc == LIBSSH2_ERROR_AUTHENTICATION_FAILED)
// The server rejected the username/publickey combination
lua_pushboolean(L, 0);
else
return luaL_error(L, "Invalid Publickey");
return luaL_error(L, "Invalid public key: %s", errmsg);
return 1;
}