reassign 412544 nessus-core thanks On Mon, Feb 26, 2007 at 07:19:41PM +0100, José Miguel Holguin Aparicio wrote: > package: libc6 > version: 2.3.6.ds1-11 > > When i invoke nessus with args : > > $nessus -q ip port user pass /tmp/host /tmp/host.nbe -T nbe > > Result : > *** The plugins that have the ability to crash remote services or hosts > have been disabled. You should activate them if you want your security > audit to be complete > Segmentation fault. > > More information with gdb : > *** The plugins that have the ability to crash remote services or hosts > have been disabled. You should activate them if you want your security > audit to be complete > > Program received signal SIGSEGV, Segmentation fault. > 0x00002b70565db5b0 in strlen () from /lib/libc.so.6 > > (gdb) info stack > #0 0x00002b70565db5b0 in strlen () from /lib/libc.so.6 > #1 0x00002b70565ad4bc in vfprintf () from /lib/libc.so.6 > #2 0x00002b70565cd72a in vsnprintf () from /lib/libc.so.6 > #3 0x0000000000403949 in network_printf (data=0x429110 "%s <|> %s\n") at > auth.c:100 > #4 0x000000000040467c in cli_send_prefs_arglist (pref=0x21bda90, > upload=0x7fff5536da88, pprefs=<value optimized out>) > at comm.c:604 > #5 0x0000000000404941 in comm_send_preferences (preferences=<value > optimized out>) at comm.c:630 > #6 0x0000000000409849 in attack_host (hostname=0x244fe60 "192.168.0.2", > preferences=0x573050) at attack.c:162 > #7 0x00000000004068a1 in cli_test_network (cli=0x5730b0) at cli.c:448 > #8 0x0000000000424c64 in main (argc=<value optimized out>, > argv=0x7fff5536dc88) at nessus.c:1273 > (gdb) select-frame 3 > (gdb) list auth.c:100 > 95 va_start(param, data); > 96 > 97 > 98 for(;;) > 99 { > 100 r = vsnprintf(buffer, s - 1, data, param); > 101 if(r >= 0 && r < s)break; > 102 s = r > s ? r + 2 : s * 2; > 103 buffer = erealloc(buffer, s); > 104 } > (gdb) > 105 len = strlen(buffer); > 106 while(n < len) > 107 { > 108 int m = 0; > 109 int size = 1024; > 110 /* send by packets of 1024 bytes due to a bug in libpeks */ > 111 while(m < size) > 112 { > 113 int e; > 114 if((len - m - n) < size)size = len - m - n; > (gdb) print buffer > $2 = 0x244ff10 " <|> n_set <|> > 20614;17264;22025;20935;15212;16206;24162;21608;20308;21825;24145;17062;15077;22330;16735;19787;23551;18613;20572;18302;11511;11500;21207;14761;19806;20728;17022;17593;23540;20525;13584"... > > I am using kernel 2.6.18-2-amd64 GNU/Linux and nessus 2.2.9. The strlen is not to compute the strlen of the buffer, but to compute the strlen of the formats arguments of the vsnprinf called in network_printf (newsflash to actually expand a %s you have to run strlen on the arguments). It's pretty obvious that one of the arguments is not \0 terminated making strlen fail. It's definitely not a libc bug. -- ·O· Pierre Habouzit ··O madcoder@debian.org OOO http://www.madism.org
Attachment:
pgpcRQgELWNXu.pgp
Description: PGP signature