Mailing List Archive

nessus client crash in x86-64
Hello list,

I have a problem with nessus client, when i invoke nessus with this args :

$nessus -q ip port user pass /tmp/host /tmp/host.nbe -T nbe

Result :
*** The plugins that have the ability to crash remote services or hosts



have been disabled. You should activate them if you want your security
audit to be complete
Segmentation fault.

Innformation with gdb :

*** The plugins that have the ability to crash remote services or hosts



have been disabled. You should activate them if you want your security
audit to be complete

Program received signal SIGSEGV, Segmentation fault.
0x00002b70565db5b0 in strlen () from /lib/libc.so.6

(gdb) info stack
#0 0x00002b70565db5b0 in strlen () from /lib/libc.so.6
#1 0x00002b70565ad4bc in vfprintf () from /lib/libc.so.6
#2 0x00002b70565cd72a in vsnprintf () from /lib/libc.so.6

#3 0x0000000000403949 in network_printf (data="" "%s <|> %s\n") at auth.c:100
#4 0x000000000040467c in cli_send_prefs_arglist (pref=0x21bda90,
upload=0x7fff5536da88,
pprefs=<value optimized out>)

at comm.c:604

#5 0x0000000000404941 in comm_send_preferences (preferences=<value optimized
out>) at comm.c:630 #6 0x0000000000409849 in attack_host (hostname=0x244fe60
"192.168.0.2", preferences=0x573050) at attack.c:162

#7 0x00000000004068a1 in cli_test_network (cli=0x5730b0) at cli.c:448

#8 0x0000000000424c64 in main (argc=<value optimized out>, argv=0x7fff5536dc88)
at nessus.c:1273

(gdb) select-frame 3
(gdb) list auth.c:100
95 va_start(param, data);
96
97
98 for(;;)
99 {
100 r = vsnprintf(buffer, s - 1, data, param);
101 if(r >= 0 && r < s)break;
102 s = r > s ? r + 2 : s * 2;
103 buffer = erealloc(buffer, s);
104 }
(gdb)
105 len = strlen(buffer);
106 while(n < len)
107 {
108 int m = 0;
109 int size = 1024;
110 /* send by packets of 1024 bytes due to a bug in libpeks */
111 while(m < size)
112 {
113 int e;
114 if((len - m - n) < size)size = len - m - n;

(gdb) print buffer

$2 = 0x244ff10 " <|> n_set <|>
20614;17264;22025;20935;15212;16206;24162;21608;20308;21825;24145;17062;15077;22330;16735;19787;23551;18613;20572;18302;11511;11500;21207;14761;19806;20728;17022;17593;23540;20525;13584"...



I am using kernel 2.6.18-2-amd64 GNU/Linux and nessus ( source
download of homepage official and compiled ) 2.2.9 and libc6
2.3.6.ds1-11 (debian etch)

We have two machines with amd64 and debian etch, the problem is in
both machines.

=====================================================================

More information:

The value of s and param are :

(gdb) select-frame 3
(gdb) print s
$1 = 82572
(gdb) print param
$2 = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff8aa54480, reg_save_area = 0x7fff8aa543a0}}

(gdb)


(gdb) bt full
#0 0x00002b2a20ef35b0 in strlen () from /lib/libc.so.6
No symbol table info available.

#1 0x00002b2a20ec54bc in vfprintf () from /lib/libc.so.6
No symbol table info available.
#2 0x00002b2a20ee572a in vsnprintf () from /lib/libc.so.6
No symbol table info available.
#3 0x0000000000403949 in network_printf (data="" "%s <|> %s\n") at
auth.c:100
param = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff8aa54480, reg_save_area = 0x7fff8aa543a0}}
r = <value optimized out>
s = 82572

buffer = 0x2573f90 " <|> n_set <|>
20614;17264;22025;20935;15212;16206;24162;21608;20308;21825;24145;17062;15077;22330;16735;19787;23551;18613;20572;18302;11511;11500;21207;14761;19806;20728;17022;17593;23540;20525;13584"...

len = <value optimized out>
n = <value optimized out>
#4 0x000000000040467c in cli_send_prefs_arglist (pref=0x22ca590,
upload=0x7fff8aa544d8, pprefs=<value optimized out>)
at
comm.c:604
No locals.
#5 0x0000000000404941 in comm_send_preferences (preferences=<value
optimized out>) at comm.c:630
No locals.
#6 0x0000000000409849 in attack_host (hostname=0x2573ee0 "
192.168.0.2", preferences=0x573050) at attack.c:162

plug_list = 0x2b2a212d8010
"20614;17264;22025;20935;15212;16206;24162;21608;20308;21825;24145;17062;15077;22330;16735;19787;23551;18613;20572;18302;11511;11500;21207;14761;19806;20728;17022;17593;23540;20525;13584;15276;14256;21"...

scans = <value optimized out>
plugs = <value optimized out>
serv_prefs = (struct arglist *) 0x5746e0
num_plug = <value optimized out>
num_scanners = <value optimized out>

#7 0x00000000004068a1 in cli_test_network (cli=0x5730b0) at cli.c:448
target_list = 0x5b <Address 0x5b out of bounds>
#8 0x0000000000424c64 in main (argc=<value optimized out>,
argv=0x7fff8aa546d8) at
nessus.c:1273
type = <value optimized out>
be = <value optimized out>
i = <value optimized out>
myself = 0x7fff8aa55e90 "nessus"
gui = 0

output_type = 0x7fff8aa55ede "nbe"
opt_m = 0
list_sessions = 0
list_plugins = 0
list_prefs = 0
sqlize_output = 0
restore_session = 0
session_id = 0x0

arg = 0x7fff8aa55eb3 ""
---Type <return> to continue, or q <return> to quit---
opt_V = 0
opt_i = <value optimized out>
opt_o = <value optimized out>

inf = 0x0
outf = 0x0
===================================================================


Thanks people for help.