nmap-dev logo

Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE patch] patch for print_debug calls in scripts without proper formatstring


From: Sven Klemm <sven () c3d2 de>
Date: 2008年8月25日 09:58:11 +0200

Hi,
the stdnse.print_debug() function unlike the normal lua print() function expects a format specifier similar to string.format(). There are a few scripts which pass non-static data directly to print_debug leading to "format string vulnerabilities". When lua encounters any % with unknown conversion specifier or any conversion specifier with unmatched argument given to the print_debug() call script execution will stop.
The attached patch fixes the affected scripts.
Cheers,
Sven
--
Sven Klemm
http://cthulhu.c3d2.de/~sven/
Index: scripts/SQLInject.nse
===================================================================
--- scripts/SQLInject.nse (revision 9714)
+++ scripts/SQLInject.nse (working copy)
@@ -240,8 +240,7 @@
 end
 
 if #injectable > 0 then
- stdnse.print_debug(1, id .. ": Testing " .. #injectable .. 
- " suspicious URLs")
+ stdnse.print_debug(1, "%s: Testing %d suspicious URLs", id, #injectable )
 end
 
 -- test all potentially vulnerable queries
Index: scripts/bruteTelnet.nse
===================================================================
--- scripts/bruteTelnet.nse (revision 9714)
+++ scripts/bruteTelnet.nse (working copy)
@@ -65,8 +65,7 @@
 end
 
 i = i + 1
- stdnse.print_debug(3, id .. " " .. 
- userpass[i-1][1] .. ":" .. escape_cred(userpass[i-1][2]))
+ stdnse.print_debug(3, "%s %s:%s", id, userpass[i-1][1], escape_cred(userpass[i-1][2]))
 return userpass[i-1][1], userpass[i-1][2]
 end
 end
Index: scripts/showHTMLTitle.nse
===================================================================
--- scripts/showHTMLTitle.nse (revision 9714)
+++ scripts/showHTMLTitle.nse (working copy)
@@ -37,7 +37,7 @@
 if data.status == 301 or data.status == 302 then
 local url = url.parse( data.header.location )
 if url.host == host.targetname or url.host == ( host.name ~= '' and host.name ) or url.host == host.ip 
then
- stdnse.print_debug("showHTMLTitle.nse: Default page is located at " .. url.scheme.. "://" .. 
url.authority .. url.path)
+ stdnse.print_debug("showHTMLTitle.nse: Default page is located at %s://%s%s", url.scheme, 
url.authority, url.path)
 data = http.get( host, port, url.path )
 end
 end
Index: scripts/SMTPcommands.nse
===================================================================
--- scripts/SMTPcommands.nse (revision 9714)
+++ scripts/SMTPcommands.nse (working copy)
@@ -80,7 +80,7 @@
 resultEHLO = try(socket:receive_lines(1))
 
 if not (string.match(resultEHLO, "^250")) then
--- stdnse.print_debug("1",resultEHLO)
+-- stdnse.print_debug("1","%s",resultEHLO)
 -- stdnse.print_debug("1","EHLO with errors or timeout. Enable --script-trace to see what is happening.")
 resultEHLO = ""
 end
@@ -100,7 +100,7 @@
 resultHELP = try(socket:receive_lines(1))
 
 if not (string.match(resultHELP, "^214")) then
--- stdnse.print_debug("1",resultHELP)
+-- stdnse.print_debug("1","%s",resultHELP)
 -- stdnse.print_debug("1","HELP with errors or timeout. Enable --script-trace to see what is happening.")
 resultHELP = ""
 end
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org 

Previous By Date Next
Previous By Thread Next

Current thread:

AltStyle によって変換されたページ (->オリジナル) /