Mailing List Archive

Thanks Pavel...

[root@john root]# diff -c dns_xfer.nasl dns_xfer.nasl.patched
*** dns_xfer.nasl Wed Sep 4 15:00:53 2002
--- dns_xfer.nasl.patched Wed Sep 4 23:16:05 2002
***************
*** 158,172 ****

len = len_hi * 256;
len = len + len_lo;
- incoming = "";
- # don't want an infinite loop, if answer is illegal
if (len < 0) exit(0);
- # only interessted in incoming[7]
if (len > 8) len = 8;
! while(strlen(incoming) < len)
! {
! incoming = string(incoming, recv(socket:soctcp,length:len));
! }

if( (ord(incoming[7])) >= 0x01) { # Is ANCOUNT == 1
security_warning(53);
--- 158,166 ----

len = len_hi * 256;
len = len + len_lo;
if (len < 0) exit(0);
if (len > 8) len = 8;
! incoming = recv(socket:soctcp, length:len);

if( (ord(incoming[7])) >= 0x01) { # Is ANCOUNT == 1
security_warning(53);




John Lampe
https://f00dikator.hn.org/

"Knowledge will forever govern ignorance, and a people who mean to be their
own governors, must arm themselves with the power knowledge gives. A popular
government without popular information or the means of acquiring it, is but
a prologue to a farce or a tragedy or perhaps both."
--James Madison

"Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz> writes:

> It appears many existing NASL scripts use string() to concatenate strings.

c=a+b; works and should be used instead, right.

However, there is something I do not understand

$ cat /tmp/xxx.nasl
A="haha\\n";
AA=string(A); # \\n --> \n
AAA=string(AA); # \n --> LF
display("A =",A, "\n");
display("AA =",AA, "\n");
display("AAA=",AAA, "\n");
$ nasl -t localhost /tmp/xxx.nasl
A =haha\n
AA =haha\n
AAA=haha\n
$

--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/

"John Lampe" <j_lampe@bellsouth.net> writes:

> ! incoming = recv(socket:soctcp, length:len);

A good reason for this patch is that it will be much quicker if the
remote server is really broken.
Adding "min: len" cannot hurt too.

OK, got it, that's the magic flag STR_PURIFIED

$ cat /tmp/xxx.nasl
A="haha\\n";
AA=string(A); # Now AA is "purified"
B=AA+""; # B is no more
AAA=string(B); # So we change \n to LF
display("A =",A, "\n");
display("AA =",AA, "\n");
display("AAA=",AAA, "\n");
$ nasl -t localhost /tmp/xxx.nasl
A =haha\n
AA =haha\n
AAA=haha

$

As display() calls string(), this explains why the 1st & 2nd display
are identical.
IMHO, this behaviour is not great.

Following the discussions on the risk factor and the translation
problems, maybe we should launch a TODO list for NASL enhancements in
the next major version?
Renaud?

"Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz> writes:

> will be two newlines in y, not "\n\n". Fortunately, in most of the cases,
> backslashes are quite unlikely to appear in the values being passed to
> string(), nevertheless, there are some scripts where less or more serious
> problems might happen--here is an incomplete list

A quick & dirty way to fix this would be that recv() (and similar
functions) returns a "purified" string.
Would this break something else?

On Thu, Sep 05, 2002 at 09:11:46AM +0200, Michel Arboi wrote:
> "Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz> writes:
>
> > will be two newlines in y, not "\n\n". Fortunately, in most of the cases,
> > backslashes are quite unlikely to appear in the values being passed to
> > string(), nevertheless, there are some scripts where less or more serious
> > problems might happen--here is an incomplete list
>
> A quick & dirty way to fix this would be that recv() (and similar
> functions) returns a "purified" string.
> Would this break something else?

No it would not, I'll fix that (or maybe you do it :)


-- Renaud

On 5 Sep 2002, Michel Arboi wrote:

> "Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz> writes:
>
> > It appears many existing NASL scripts use string() to concatenate strings.
>
> c=a+b; works and should be used instead, right.

Not good enough:

a = "0";
b = "1";
display(a + b, "\n");

returns 1 not 01

Apparently, this is the only safe way to concatenate two strings
of arbitrary binary data (unless I know both values are purified):

r = "";
for (__i = 0; __i < strlen(a); __i = __i + 1)
r = string(__r, raw_string(ord(a[__i])));
for (__i = 0; __i < strlen(b); __i = __i + 1)
r = string(__r, raw_string(ord(b[__i])));

Or am I wrong?

--Pavel Kankovsky aka Peak
"Welcome to the Czech Republic. Bring your own lifeboats."

On Wed, Sep 11, 2002 at 11:18:06AM +0200, Pavel Kankovsky wrote:
> On 5 Sep 2002, Michel Arboi wrote:
>
> > "Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz> writes:
> >
> > > It appears many existing NASL scripts use string() to concatenate strings.
> >
> > c=a+b; works and should be used instead, right.
>
> Not good enough:
>
> a = "0";
> b = "1";
> display(a + b, "\n");
>
> returns 1 not 01
>
> Apparently, this is the only safe way to concatenate two strings
> of arbitrary binary data (unless I know both values are purified):
>
> r = "";
> for (__i = 0; __i < strlen(a); __i = __i + 1)
> r = string(__r, raw_string(ord(a[__i])));
> for (__i = 0; __i < strlen(b); __i = __i + 1)
> r = string(__r, raw_string(ord(b[__i])));

You can also explicitely purify the values using string() -

a = string("\\n"); # a equals to "\n"
b = string("\\r"); # b equals to "\r"

c = string(b,a); # c equals to "\r\n" (and not
# carriage return)

On Wed, 11 Sep 2002, Renaud Deraison wrote:

> > Apparently, this is the only safe way to concatenate two strings
> > of arbitrary binary data (unless I know both values are purified):
[...]
> You can also explicitely purify the values using string() -
>
> a = string("\\n"); # a equals to "\n"
> b = string("\\r"); # b equals to "\r"

I see. Unfortunately, this purification method is not very usable unless
the string in question is a constant where I can double all backslashes
manually. :)

--Pavel Kankovsky aka Peak
"Welcome to the Czech Republic. Bring your own lifeboats."