Cases where the format string does not contain any placeholders, but
values are given anyway. Cases where string.format is used without any
placeholders or arguments.
Reported: http://seclists.org/nmap-dev/2014/q3/378
Changes the default timeout for rpc.lua from 30s to 5 times Nmap's
calculated host timeout or 10s if no timeout info is available.
Using this regular expression, '\(\w*\)\s*=\s*\1\s*\.\.', found and
replaced many string concatenation-reassignments. These can cause
performance issues, since a new string gets allocated for each
reassignment. In many cases, the replacement is simply a single string,
wrapped across lines with the '\z' escape, which consumes a newline and
whitespace following it. In other cases, a table is used to hold the
substrings until the final string is built with a single table.concat
operation (same technique used in stdnse.strbuf).
Also, some string-building loops of this form:
s = ""
for i = 1, 100, 1 do
s = s .. "\0"
end
were replaced with this much faster and cleaner version:
s = string.rep("\0", 100)
Mostly found with:
for i in nselib/*.lua scripts/*.nse; do
echo $(perl -lne 'BEGIN{$a=$p=0}next unless $_;/^(\s*)/;' \
-e '$l=length$1;next if$l==$p;$a+=(abs($l-$p)-$a)/$.;' \
-e '$p=$l;END{print$a}' $i) $i
done | sort -nr
And indented with: https://gist.github.com/bonsaiviking/8845871
whois-ip.nse was particularly mangled (probably my fault due to using
vim's built-in indentation script, but it could be structured better)
Removed some non-ANSI-C strftime format strings ("%F") and
locale-dependent formats ("%c") from NSE scripts and libraries.
C99-specified %F was noticed by Alex Weber
(http://seclists.org/nmap-dev/2013/q2/300)
This connect should be side effect–free except for calling socket_lock,
which prevents the creation of an excessive number of sockets. Not using
the lock was causing "Too many open files" errors.
We should have a cleaner general solution for this, and not require
scripts to "connect" their unconnected UDP sockets. I seem to remember
that there was a good reason for not enforcing the lock on socket
creation, but only on connect, as we do.
http://seclists.org/nmap-dev/2012/q4/435
rpc.Comm.Connect was trying to bind to 424 reserved ports, which is
overkill. Since nsock doesn't do an actual bind(2) call until
socket:connect for TCP, that meant up to 424 connect calls, each of
which is currently leaking a socket. This commit contains 3 fixes:
1. Add nmap.new_socket calls for non-privileged code path that were
moved inside the privileged loop to originally address the leak.
2. Check for TIMEOUT on each of the TCP connect calls and abandon the
Connect, avoiding many timeouts.
3. Try 10 random reserved ports (from 1 to 1024) instead of 400+.
Should be good odds of finding one unused, even when lots of threads are
trying (though empirical results would be helpful). Also, this should
reduce load since thread n won't need to fail n-1 bind attempts.
It appears that connecting more than one with the same nse_nsock socket
leaks socket descriptor. For example,
local s = nmap.new_socket()
s:connect(host, port) --> TIMEOUT
s:connect(host, port) --> TIMEOUT
s:close()
leaks a socket descriptor, the one used in the first connect. Nsock
should really take care of this, but let's do this workaround because
rpc-grind has been causing problems due to using the above pattern:
http://seclists.org/nmap-dev/2012/q3/864http://seclists.org/nmap-dev/2012/q3/872http://seclists.org/nmap-dev/2012/q3/949
The difficulty is that the rpc library will tolerate around 400 of those
timeouts per RPC connection, which leads to rapidly running out of
descriptors.
NSE: rpc-grind Connect(): RPC library does not support: nil protocol
NSE: rpc-grind Connect(): RPC library does not support: rpcbind version
81578896
These errors caused by ChkProgram and ChkVersion called from
rpc.Comm.Connect. Added a dummy program in rpc-grind and a check for
self.checkprogver in ChkVersion, and everything works great.
Also fixed portrule to only fail if the non-rpcbind service name was not
the result of table lookup. Was failing on port 2049 (in nmap-services
as "nfs") without -sV.
http://seclists.org/nmap-dev/2012/q2/54
This patch is from Daniel Miller. He writes:
I've just finished enhancing the nfs-ls, nfs-statfs, and nfs-showmount
scripts so that they can run based on version detection information,
for cases where the portmapper is firewalled. For nfs-ls and
nfs-statfs, this required making a hostrule to check that both a
mountd service and a nfs service were detected. In the process, I
ended up adding the AUTH_UNIX flavor to rpc.lua, since the RFC states
that AUTH_NULL can only be used for the NULL procedure (and my Linux
nfs-kernel-server was enforcing that).
Other minor changes:
* If running privileged, attempt to bind to a reserved port. Many NFS
servers refuse to talk to source ports >1024, as a "security measure"
* handle an odd case in nfs-ls where READDIRPLUS does not return file
attributes. Chose to use all ?'s, but in the future maybe a direct
GETATTR call?
* remove reference to nfs.dirlist argument from nfs-ls doc, since it is unused
o Create the mutex in the RpcInfo() function before the connect call, to prevent some rare race conditions that can cause one of the running rpc and nfs scripts to fail. This mutex is used to cache the portmapper program list in the registry, to reduce the number of connections and RPC DUMP procedure calls.
o whitespace formatting.
socket:connect(host.ip, port.number)
socket:connect(host.ip, port.number, port.protocol)
to this:
socket:connect(host, port)
connect can take host and port tables now, and the default protocol is
taken from the port table if possible.
