From 9370f5bd5dc2c879bb4b49e0ed3df3f84b6e7e23 Mon Sep 17 00:00:00 2001 From: dmiller Date: Wed, 21 Sep 2016 03:55:12 +0000 Subject: [PATCH] Strip carriage returns (\r) from output to prevent spoofing --- CHANGELOG | 4 ++++ output.cc | 3 ++- service_scan.cc | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 7498dd8a0..cceb81201 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,9 @@ # Nmap Changelog ($Id$); -*-text-*- +o Improved some output filtering to remove or escape carriage returns ('\r') + that could allow output spoofing by overwriting portions of the screen. Issue + reported by Adam Rutherford. [Daniel Miller] + o [NSE] Fixed a few bad Lua patterns that could result in denial of service due to excessive backtracking. [Adam Rutherford, Daniel Miller] diff --git a/output.cc b/output.cc index 393d11d69..7fc4f5ff3 100644 --- a/output.cc +++ b/output.cc @@ -462,7 +462,8 @@ static std::string escape_for_screen(const std::string s) { for (unsigned int i = 0; i < s.size(); i++) { char buf[5]; unsigned char c = s[i]; - if (c == '\t' || c == '\r' || c == '\n' || (0x20 <= c && c <= 0x7e)) { + // Printable and some whitespace ok. "\r" not ok because it overwrites the line. + if (c == '\t' || c == '\n' || (0x20 <= c && c <= 0x7e)) { r += c; } else { Snprintf(buf, sizeof(buf), "\\x%02X", c); diff --git a/service_scan.cc b/service_scan.cc index e61d65383..f132d3f22 100644 --- a/service_scan.cc +++ b/service_scan.cc @@ -691,7 +691,7 @@ static char *transform_cpe(const char *s) { Snprintf(buf, sizeof(buf), "%%%02X", *p); repl = buf; /* Replacing spaces with underscores is also a convention. */ - } else if (*p == ' ') { + } else if (isspace(*p)) { repl = "_"; /* Otherwise just make lower-case. */ } else {