Hi,
while testing Nessus 2.2.5 using our existing nessusd.conf and an unchanged
.nessusrc generated by the 2.2.5 client, I encountered reproducible segfaults
at the start of the scan in dont_scan_printers.nasl, which was always followed
by a segfault in the parent process:
[Tue Jul 26 12:46:55 2005][14927] user scanner : launching dont_scan_printers.nasl against x.x.x.x [14939]
...
[Tue Jul 26 12:46:55 2005][14939] SIGSEGV occured !
[Tue Jul 26 12:46:55 2005][14927] Process 14939 seems to have died too early
...
[Tue Jul 26 12:46:55 2005][14927] SIGSEGV occured !
[Tue Jul 26 12:46:55 2005][14890] user scanner : test complete
We traced this as follows:
#0 0x402a0de8 in strcmp () from /lib/i686/libc.so.6
#1 0x40063c78 in getpts (origexpr=0x0, len=0xbfffdfd4) at scanners_utils.c:120
#2 0x4005cb6f in kb_get_port_state_proto (kb=0x403bd008, prefs=0x808eb18, portnum=7001, proto=0x8062b06 "tcp")
at plugutils.c:899
#3 0x08056dcb in get_closed_ports (kb=0x403bd008, ports=0x8757438, preferences=0x808eb18) at plugs_req.c:54
#4 0x080570d2 in requirements_plugin (kb=0x403bd008, plugin=0x88fd3c8, preferences=0x808eb18) at plugs_req.c:223
#5 0x0804c077 in launch_plugin (globals=0x874bb78, sched=0x87d2198, plugin=0x88fd3c8, hostname=0xbfffe718 "x.x.x.x",
cur_plug=0xbfffe5f8, num_plugs=8820, hostinfos=0x4007016d, kb=0x403bd008, new_kb=0) at attack.c:253
#6 0x0804c559 in attack_host (globals=0x874bb78, hostinfos=0x8925ff8, hostname=0xbfffe718 "x.x.x.x", sched=0x87d2198)
at attack.c:394
#7 0x0804c7de in attack_start (args=0x8925ff8) at attack.c:490
It turns out that this was due to port_range being uninitialised.
Adding this in SERVER_PREFS in the .nessusrc fixed the problem.
The value is set if nessusd.conf is generated from scratch, but if nessusd.conf
exists and does not contain the setting AND if the .nessusrc does not contain it
either, this crash will happen.
I would suggest that this and all other essential variables are initialised at
the point of use and ideally also saved to either nessusd.conf or the .nessusrc
automatically. It would also be nice if a warning was logged whenever
uninitialised variables are set and saved.
--
Hubert Seiwert
Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom
Web: www.westpoint.ltd.uk
Tel: +44-161-2371028
while testing Nessus 2.2.5 using our existing nessusd.conf and an unchanged
.nessusrc generated by the 2.2.5 client, I encountered reproducible segfaults
at the start of the scan in dont_scan_printers.nasl, which was always followed
by a segfault in the parent process:
[Tue Jul 26 12:46:55 2005][14927] user scanner : launching dont_scan_printers.nasl against x.x.x.x [14939]
...
[Tue Jul 26 12:46:55 2005][14939] SIGSEGV occured !
[Tue Jul 26 12:46:55 2005][14927] Process 14939 seems to have died too early
...
[Tue Jul 26 12:46:55 2005][14927] SIGSEGV occured !
[Tue Jul 26 12:46:55 2005][14890] user scanner : test complete
We traced this as follows:
#0 0x402a0de8 in strcmp () from /lib/i686/libc.so.6
#1 0x40063c78 in getpts (origexpr=0x0, len=0xbfffdfd4) at scanners_utils.c:120
#2 0x4005cb6f in kb_get_port_state_proto (kb=0x403bd008, prefs=0x808eb18, portnum=7001, proto=0x8062b06 "tcp")
at plugutils.c:899
#3 0x08056dcb in get_closed_ports (kb=0x403bd008, ports=0x8757438, preferences=0x808eb18) at plugs_req.c:54
#4 0x080570d2 in requirements_plugin (kb=0x403bd008, plugin=0x88fd3c8, preferences=0x808eb18) at plugs_req.c:223
#5 0x0804c077 in launch_plugin (globals=0x874bb78, sched=0x87d2198, plugin=0x88fd3c8, hostname=0xbfffe718 "x.x.x.x",
cur_plug=0xbfffe5f8, num_plugs=8820, hostinfos=0x4007016d, kb=0x403bd008, new_kb=0) at attack.c:253
#6 0x0804c559 in attack_host (globals=0x874bb78, hostinfos=0x8925ff8, hostname=0xbfffe718 "x.x.x.x", sched=0x87d2198)
at attack.c:394
#7 0x0804c7de in attack_start (args=0x8925ff8) at attack.c:490
It turns out that this was due to port_range being uninitialised.
Adding this in SERVER_PREFS in the .nessusrc fixed the problem.
The value is set if nessusd.conf is generated from scratch, but if nessusd.conf
exists and does not contain the setting AND if the .nessusrc does not contain it
either, this crash will happen.
I would suggest that this and all other essential variables are initialised at
the point of use and ideally also saved to either nessusd.conf or the .nessusrc
automatically. It would also be nice if a warning was logged whenever
uninitialised variables are set and saved.
--
Hubert Seiwert
Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom
Web: www.westpoint.ltd.uk
Tel: +44-161-2371028