Fix some bad patterns with excessive backtracking

2025-12-06 04:31:29 +00:00 · 2016-09-21 03:55:11 +00:00
parent da594ae5b8
commit d1fb502144
5 changed files with 10 additions and 7 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Fixed a few bad Lua patterns that could result in denial of service due
+  to excessive backtracking. [Adam Rutherford, Daniel Miller]
+
 o Fixed a bug in port specification parsing that could cause extraneous
  'T', 'U', 'S', and 'P' characters to be ignored when they should have
  caused an error. [David Fifield]
--- a/nselib/wsdd.lua
+++ b/nselib/wsdd.lua
@@ -135,15 +135,15 @@ Decoders = {
    local response = {}

    -- extracts the messagid, so we can check if we already got a response
-    response.msgid = data:match("<.*:MessageID>urn:uuid:(.*)</.*:MessageID>")
+    response.msgid = data:match("<[^:]*:MessageID>urn:uuid:([^<]*)</[^:]*:MessageID>")

    -- if unable to parse msgid return nil
    if ( not(response.msgid) ) then
      return false, "No message id was found"
    end

-    response.xaddrs = data:match("<.*:*XAddrs>(.*)</.*:*XAddrs>")
-    response.types = data:match("<.*:Types>[wsdp:]*(.*)</.*:Types>")
+    response.xaddrs = data:match("<[^:]*:*XAddrs>(.*)</[^:]*:*XAddrs>")
+    response.types = data:match("<[^:]*:Types>[wsdp:]*(.*)</[^:]*:Types>")

    return true, response
  end,
--- a/scripts/auth-owners.nse
+++ b/scripts/auth-owners.nse
@@ -54,7 +54,7 @@ action = function(host, port)

  local try = nmap.new_try(catch)

-  try(client_ident:connect(host, 113))
+  try(client_ident:connect(host, 1113))
  try(client_service:connect(host, port))

  local localip, localport, remoteip, remoteport =
@@ -70,7 +70,7 @@ action = function(host, port)
    owner = nil
  else
    owner = string.match(owner,
-      "%d+%s*,%s*%d+%s*:%s*USERID%s*:%s*.+%s*:%s*(.+)\r?\n")
+      "%d+%s*,%s*%d+%s*:%s*USERID%s*:%s*[^:]+%s*:[ \t]*([^\r\n]+)\r?\n")
  end

  try(client_ident:close())
--- a/scripts/ip-https-discover.nse
+++ b/scripts/ip-https-discover.nse
@@ -70,7 +70,7 @@ action = function(host, port)
  end
  socket:close()

-  if string.match(response, 'HTTP/1.1 200%s+.+HTTPAPI/2.0') then
+  if string.match(response, 'HTTP/1.1 200%s.+HTTPAPI/2.0') then
    return true, 'IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.'
  end
 end
--- a/scripts/smtp-vuln-cve2010-4344.nse
+++ b/scripts/smtp-vuln-cve2010-4344.nse
@@ -370,7 +370,7 @@ local function check_exim(smtp_opts)
  for _, line in pairs(stdnse.strsplit("\r?\n", response)) do
    if not smtp_opts.ehlo_host or not smtp_opts.domain_ip then
      smtp_opts.ehlo_host, smtp_opts.domain_ip =
-      line:match("%d+.*Hello%s(.*)%s%[(.*)%]")
+      line:match("%d.-Hello%s(.*)%s%[([^]]*)%]")
    end
    if not smtp_server.size then
      smtp_server.size = line:match("%d+%-SIZE%s(%d+)")