Mailing List Archive

Patch for find_in_path (plugutils.c)
Hi,

nmap.nasl was not launching nmap on one of our systems, even though it was
installed as /usr/bin/nmap. The cause was this (strace output):

strace.log.21456:access("/home/scanner/nmap", X_OK) = 0
...
strace.log.21457:execve("/home/scanner/nmap", ["nmap", "-n", "-P0", "-oG",
"/usr/local/nessus/var/nessus/tmp"..., "-sT"
, "-p", "1-65535", "--min_rtt_timeout", "71", "--max_rtt_timeout", "213",
...

It found, and tried to launch /home/scanner/nmap, but this is a directory and
not the nmap binary. Looking at the code for find_in_path in plugutils.c, it
only checks for execute permission, but doesn't check if it's actually a file,
so it will match on +x subdirectories called "nmap" within the path.

This bug would also stop the hydra, snmpwalk etc. scanner plugins working if you
happen to have directories with the names of the binaries in your path.

I've attached a patch which adds an S_ISREG test to see if it's a regular file,
which works fine for me (I only tested nmap.nasl).

--
Hubert Seiwert

Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom

Web: www.westpoint.ltd.uk
Tel: +44-161-2371028