If you ran the (fortunately non-default) http-domino-enum-passwords
script with the (fortunately also non-default)
domino-enum-passwords.idpath parameter against a malicious server,
it could cause an arbitrarily named file to to be written to the
client system. Thanks to Trustwave researcher Piotr Duszynski for
discovering and reporting the problem. We've fixed that script, and
also updated several other scripts to use a new
stdnse.filename_escape function for extra safety. This breaks our
record of never having a vulnerability in the 16 years that Nmap has
existed, but that's still a fairly good run. [David, Fyodor]
This is the site-local prefix deprecated by RFC 3879. Suggested by Marek
Majkowski, who noticed that the prefix was included in Tor's
tor_addr_is_internal_ function.
Removed some non-ANSI-C strftime format strings ("%F") and
locale-dependent formats ("%c") from NSE scripts and libraries.
C99-specified %F was noticed by Alex Weber
(http://seclists.org/nmap-dev/2013/q2/300)
http://seclists.org/nmap-dev/2013/q2/101
- Changed line termination from \r\0 to \r\n.
- Changed response to the telnet server ECHO "will" / "will not" from
outright "do not" to an agreement with whatever the server proposes
to make the script work with some daemons.
- Removed use of receive_lines(), which was causing either time-outs or
unnecessary connection tear-downs due to waiting on a line
termination. This change improved the script success rate and/or
performance (5x in some cases).
- Exposed the connection time-out value as a configurable parameter
(telnet-brute.timeout). It defaults to 5s.
- Improved handling of connection errors, which were occassionally
causing credential combinations to be skipped.
- Updated the logged-in status detection logic to make the script work
with some daemons.
- Avoided overlapping connections to make the script work with daemons
that allow only one connection at a time.
- Replaced a locally defined routine with stdnse.string_or_blank() for
printing out credentials. Changed printing of tested credentials in
the debug output to be consistent with script results.
- Script will now report if it senses password-only authentication.
- Implemented detailed debug messages (e.g. "Sending password") at
debug level 3 (configurable).
- Expanded the script documentation.
Kenneth Frazier reported that sometimes Nmap would use name servers from
inactive interfaces. Let's try checking the interface GUIDs against
those known by libpcap.
http://seclists.org/nmap-dev/2013/q1/292
At high scan rates, there was nothing to prevent trying to set or clear
socket descriptors above FD_SETSIZE, which is usually around 1024. I got
a reliable assertion failures with the command
nmap -sT -p- --min-rate 100000 scanme.nmap.org
The problem only affected -sT scans. A similar protection was added to
Nsock in r15808.
Fixed a bug that prevented Nmap from finding any interfaces when one
of them had the type ARP_HDR_APPLETALK; this was the case for
AppleTalk interfaces. However, This support is not complete
since AppleTalk interfaces use different size hardware addresses
than Ethernet. Nmap IP level scans should work without any problem,
please refer to the '--send-ip' switch and to the following thread:
http://seclists.org/nmap-dev/2013/q1/214
This bug was reported by Steven Gregory Johnson on IRC.
Compare to this similar test in Nmap's scan_engine.cc:
if (scantype != CONNECT_SCAN && Targets[0]->ifType() == devt_loopback) {
log_write(LOG_STDOUT, "Skipping %s against %s because Windows does not support scanning your own machine (localhost) this way.\n", scantype2str(scantype), Targets[0]->NameIP());
return;
}
rndbit made a report--unfortunately we con't fix it, but we can make the
error message clearer.
http://seclists.org/nmap-dev/2013/q1/187
