Date: Mon, 18 Apr 2011 02:21:34 +0100 From: Djalal Harouni <tixxdz@...ndz.org> To: owl-dev@...ts.openwall.com Subject: Re: Nmap 5.51 On 2011-03-16 18:55:55 +0300, Solar Designer wrote: > Vasiliy, > > Now that OpenVZ has re-labeled their latest "testing" kernel (the one we > have in Owl-current) as "stable", I intend to get lots of stuff from > Owl-current into Owl 3.0-stable, including even the Nmap update. (The > OpenSSL update will be a major exception to this.) > > And it feels wrong to do that for Nmap 5.50, when the Nmap project has > released 5.51, which is a bugfix-only update (and thus is more "stable"). > > Can you please update the Nmap package in Owl-current to 5.51 now? > This should be quick and easy. > > http://seclists.org/nmap-dev/2011/q1/518 Hi, I was reviewing the Owl Nmap patch  to drop privileges, and I've noticed that the Script Pre-scanning phase will run before dropping privileges, actually there are two issues. Some background: The Script Pre-scanning phase is a new NSE (Nmap Scripting Engine) scan phase which occurs before Nmap starts classic scanning. Scripts in this phase can do host/network discovery stuff (broadcast ...) and add the discovered targets to the Nmap scanning queue. There is even a new committed script 'target-sniffer.nse' to push sniffed targets into the Nmap queue. Currently in the nmap-trunk more than 10 scripts will run during this script scan phase. 1) I think that privileges should be dropped before any scan. 2) some (perhaps all) Pre-scanning scripts will not work with this patch since they need some info (network interfaces ...) which are not available at that time. The pre-scanning phase should not be moved, but you can move the open_nse() call if you want to initialize NSE before drop_priv(). I want to contribute to Owl, so let me know if you want me to adjust the patch, or if you have some other suggestions. Thx.  http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/nmap/nmap-5.51-alt-owl-drop-priv.diff -- tixxdz http://opendz.org
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.